tag:blogger.com,1999:blog-80879961881669589402024-03-15T18:11:06.557-07:00eHackNews :- The Hackers News HubThe Hackers News ChannelAditya Mehtahttp://www.blogger.com/profile/05024805239493853312noreply@blogger.comBlogger504125tag:blogger.com,1999:blog-8087996188166958940.post-8993028377114617752024-01-27T02:28:00.000-08:002024-01-27T02:28:42.567-08:00iPhone apps abuse iOS push notifications to collect user data<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSCf9iab-zfEtV47g_J7z8-vgJ0oB8jxoUIZzm5nUz9og5cGIWGIAlyv9PLNYW7hpFdymvQhpHroZ-_CDiyLEy5NErbRee9F3-8WBKoCNpCoo-ARp9jafoRj1EsQeg6y8OLF-39MJgqYmYbIi9E1CniPCxLUcUm3vZym0iydcFq3Ugs8lhMcE_-jWRXrAO/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202024-01-27T160550.873.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSCf9iab-zfEtV47g_J7z8-vgJ0oB8jxoUIZzm5nUz9og5cGIWGIAlyv9PLNYW7hpFdymvQhpHroZ-_CDiyLEy5NErbRee9F3-8WBKoCNpCoo-ARp9jafoRj1EsQeg6y8OLF-39MJgqYmYbIi9E1CniPCxLUcUm3vZym0iydcFq3Ugs8lhMcE_-jWRXrAO/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202024-01-27T160550.873.png" width="320" /></a></div><br /><p><br /></p><p> Numerous iOS apps are using background processes triggered by push notifications to collect user data about devices, potentially allowing the creation of fingerprinting profiles used for tracking.</p><p><br /></p><p>According to mobile researcher Mysk, who discovered this practice, these apps bypass Apple's background app activity restrictions and constitute a privacy risk for iPhone users.</p><p><br /></p><p>"Apps should not attempt to surreptitiously build a user profile based on collected data and may not attempt, facilitate, or encourage others to identify anonymous users or reconstruct user profiles based on data collected from Apple-provided APIs or any data that you say has been collected in an 'anonymized,' 'aggregated,' or otherwise non-identifiable way," reads a section of Apple App Store review guidelines.</p><p><br /></p><p>After analyzing what data is sent by iOS background processes when receiving or clearing notifications, Mysk found that the practice was far more prevalent than previously thought, involving many apps with a considerable user base.</p><p><br /></p><p>Wake up and collect data</p><p>Apple designed iOS not to allow apps to run in the background to prevent resource consumption and for better security. When not using an app, they are suspended and eventually terminated, so they can't monitor or interfere with foreground activities.</p><p><br /></p><p>In iOS 10, though, Apple introduced a new system that allows apps to quietly launch in the background to process new push notifications before the device displays them.</p><p><br /></p><p>The system allows apps that receive push notifications to decrypt the incoming payload and download additional content from their servers to enrich it before it's served to the user. Once this process is done, the app is terminated again.</p><p><br /></p><p>Through testing, Mysk found that many apps abuse this feature, treating it as a window of opportunity to transmit data about a device back to their servers. Depending on the app, this includes system uptime, locale, keyboard language, available memory, battery status, storage use, device model, and display brightness.</p><p><br /></p><p>LinkedIn's network data exchange during the arrival of a Push Notification</p><p>LinkedIn's network data exchange during the arrival of a Push Notification</p><p>Source: Mysk</p><p>The researcher believes this data can be used for fingerprinting/user profiling, allowing for persistent tracking, which is strictly prohibited in iOS.</p><p><br /></p><p>"Our tests show that this practice is more common than we expected. The frequency at which many apps send device information after being triggered by a notification is mind-blowing," explains Mysk in a post on Twitter.</p><p><br /></p><p>Mysk created the following video displaying the network traffic exchange during the reception of push notifications by TikTok, Facebook, X (Twitter), LinkedIn, and Bing.</p><p><br /></p><p><br /></p><p>The apps were found to send a wide range of device data to their servers using services like Google Analytics, Firebase, or their own proprietary systems.</p><p><br /></p><p>BleepingComputer contacted Microsoft, X, Apple, TikTok, and LinkedIn about their apps retrieving user data but a reply was not immediately available.</p><p><br /></p><p>Mitigating the issue</p><p>Apple will plug the gap and prevent further abuse of push notification wake-ups by tightening restrictions on using APIs for device signals.</p><p><br /></p><p>Mysk told BleepingComputer that starting in Spring 2024, apps will be required to declare precisely why they need to use APIs that can be abused for fingerprinting.</p><p><br /></p><p>These APIs are used to retrieve information about a device, such as its disk space, system boot time, file timestamps, active keyboards, and user defaults.</p><p><br /></p><p>If apps do not properly declare their use of these APIs and what they are being used for, Apple says that they will be rejected from the App Store.</p><p><br /></p><p>Until that happens, iPhone users who want to evade this fingerprinting should disable push notifications entirely. Unfortunately, making notifications silent will not prevent abuse.</p><p><br /></p><p>To disable notifications, open 'Settings,' head to 'Notifications,' select the app you want to manage notifications for and tap the toggle to disable 'Allow Notifications.'</p><p><br /></p><p>In December, it was revealed that governments were requesting push notification records sent through Apple's and Google's servers as a way to spy on users.</p><p><br /></p><p>Apple said that the US government prohibited them from sharing any information on these requests and has since updated their transparency reporting.</p>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-83206943180392811932024-01-27T01:58:00.000-08:002024-01-27T01:58:01.952-08:00Mexican Banks and Cryptocurrency Platforms Targeted With AllaKore RAT<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4Mm0ktgzmJyWUDJMRvaA7Q2gbGXecZApyGgJFbtS6OP3FnU-o7YGt6lygQDuttkAkJI0ESyw4dGr5npqTncpc6oqIO0W7T7tVp7b5VAjnH3RHlLblobKv-cAfhtgicpyznf5sy_5DD9m5fYseOn2f54cXVWXqouZmq9yi_O6jbL9eDJqvM5BNQnFevMwy/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202024-01-27T153420.052.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4Mm0ktgzmJyWUDJMRvaA7Q2gbGXecZApyGgJFbtS6OP3FnU-o7YGt6lygQDuttkAkJI0ESyw4dGr5npqTncpc6oqIO0W7T7tVp7b5VAjnH3RHlLblobKv-cAfhtgicpyznf5sy_5DD9m5fYseOn2f54cXVWXqouZmq9yi_O6jbL9eDJqvM5BNQnFevMwy/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202024-01-27T153420.052.png" width="320" /></a></div><br /><b><br /></b><p></p><p><b> Summary</b></p><p>A financially motivated threat actor is targeting Mexican banks and cryptocurrency trading entities with custom packaged installers delivering a modified version of AllaKore RAT – an open-source remote access tool.</p><p><br /></p><p>Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process. The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.</p><p><br /></p><p>The targeting we observed was indifferent to industry; the attackers appear to be most interested in large companies, many with gross revenues over $100M USD. We know this because the lures sent out by the threat actors only work for companies that are large enough to be reporting directly to the Mexican government’s IMSS department.</p><p><br /></p><p>Based on the large number of Mexico Starlink IPs used in the campaign and the long timeframe of these connections, plus the addition of Spanish-language instructions to the modified RAT payload, we believe that the threat actor is based in Latin America.</p><p> </p><p><br /></p><p><b>Brief MITRE ATT&CK® Information</b></p><p>Tactic</p><p><br /></p><p>Technique</p><p><br /></p><p>Initial Access</p><p><br /></p><p>T1189</p><p><br /></p><p>Execution</p><p><br /></p><p>T1204.001, T1059.001</p><p><br /></p><p>Defense Evasion</p><p><br /></p><p>T1218.007, T1480, T1070.004, T1140</p><p><br /></p><p>Command and Control</p><p><br /></p><p>T1105, T1071.001, T1219</p><p><br /></p><p>Credential Access</p><p><br /></p><p>T1056.001</p><p><br /></p><p>Collection</p><p><br /></p><p>T1056.001, T1113</p><p><br /></p><p>Exfiltration</p><p><br /></p><p>T1041</p><p><br /></p><p><br /></p><p>Weaponization and Technical Overview</p><p>Weapons</p><p><br /></p><p>Malicious MSI installer, .NET downloader, customized AllaKore RAT</p><p><br /></p><p>Attack Vector</p><p><br /></p><p>Spear-phishing; Drive-by</p><p><br /></p><p>Network Infrastructure</p><p><br /></p><p>Statically hosted C2</p><p><br /></p><p>Targets</p><p><br /></p><p>Retail, Agriculture, Public Sector, Manufacturing, Transportation, Commercial Services, Capital Goods, and Banking</p><p><br /></p><p><br /></p><p>Technical Analysis</p><p>Context</p><p><br /></p><p>A long running campaign targeting Mexican entities with large revenues ($1 million USD and above) was discovered by BlackBerry cyber threat intelligence (CTI) analysts. This campaign has been using consistently detectable C2 infrastructure since 2021 and has yet to be disrupted.</p><p><br /></p><p>Attack Vector</p><p><br /></p><p>Samples from the middle of 2022 and before, such as 942865d0c76b71a075b21525bd32a1ceca830071e5c61123664bd332c7a8de2a, were packaged as RAR files containing the AllaKore sample itself. RAR is a proprietary archive file format that supports data compression, error correction and file spanning.</p><p><br /></p><p>Newer samples have a more complicated installation structure that delivers the downloader, compressed in an MSI file, which is a Microsoft software installer. The downloader first verifies that the target is located in Mexico, verified via network IP location services, before downloading the customized AllaKore RAT.</p><p><br /></p><p>Installer files are structured like malspam attachments and have the following execution path:</p><p><br /></p><p><br /></p><p>Figure 1: RAT delivery process</p><p><br /></p><p>What is AllaKore RAT?</p><p>AllaKore RAT is a simple, open-source remote access tool written in Delphi. It was first observed in 2015, and was most recently used by the threat group known as SideCopy in May 2023 to infiltrate organizations within a specific geographic area.</p><p> </p><p><br /></p><p>Early 2022 Sample</p><p>Hashes (md5, sha-256)</p><p><br /></p><p>21b7319ae748c43e413993ad57e8d08c</p><p><br /></p><p>942865d0c76b71a075b21525bd32a1ceca830071e5c61123664bd332c7a8de2a</p><p><br /></p><p>File Name</p><p><br /></p><p>aluminio.rar</p><p><br /></p><p>File Size</p><p><br /></p><p>3840823</p><p><br /></p><p><br /></p><p>"Aluminio.rar" decompresses “aluminio.exe”, which is the AllaKore RAT payload. Worthy of note is the fact that new commands in the Spanish language have been added to the original RAT payload.</p><p><br /></p><p><br /></p><p>Figure 2: Custom function names</p><p><br /></p><p>This earlier sample reaches out to uplayground[.]online, a domain which was in use from late 2021 until mid-2022. The endpoint of “/registrauser.php” was originally used as the AllaKore server. The endpoint "/license.txt" was used as an update location, always pointing to the latest version of the threat actor’s RAT. A breakdown of the custom functionality is given a little further down in this report.</p><p> </p><p><br /></p><p>Late 2022 Sample</p><p>Hashes (md5, sha-256)</p><p><br /></p><p>e5447d258c5167db494e6f2a297a9be8</p><p><br /></p><p>bf26025974c4cbbea1f6150a889ac60f66cfd7d758ce3761604694b0ceaa338d</p><p><br /></p><p>File Name</p><p><br /></p><p>PluginIMSSSIPARE (1).zip</p><p><br /></p><p>File Size</p><p><br /></p><p>14220446</p><p><br /></p><p><br /></p><p>The file obfuscation was changed in late 2022. This file has the following structure:</p><p><br /></p><p>PLUGINIMSSSIPARE (1).zip</p><p>_</p><p>INSTRUCCIONES.txt</p><p>InstalarPluginSIPARE.zip</p><p>InstalarPluginSIPARE.msi</p><p>The instructions read:</p><p><br /></p><p>Figure 3: INSTRUCCIONES.txt</p><p><br /></p><p>Translated, this reads:</p><p><br /></p><p>INSTRUCTIONS</p><p><br /></p><p>1.- EXTRACT THE CONTENT OF THE INSTALARPLUGINSIPARE.ZIP FILE</p><p>2.- RUN THE FILE CALLED "INSTALARPLUGIN"</p><p>3.- WHEN YOU FINISH THE INSTALLATION YOU WILL BE ABLE TO LOG IN NORMALLY</p><p><br /></p><p>“InstalarPluginSIPARE.msi” is built with Advanced Installer 18.3. This file deploys a .NET downloader and a couple of PowerShell scripts for cleanup. “ADV.exe” is the .NET downloader, while the PowerShell command employed is:</p><p><br /></p><p>"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command</p><p>"C:\Users\admin\AppData\Local\Temp\AI_4ECB.ps1 -paths 'C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\file_deleter.ps1','C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\aipackagechainer.exe','C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files','C:\Users\admin\AppData\Roaming\ADV','C:\Users\admin\AppData\Roaming\ADV' -retry_count 10"</p><p><br /></p><p>Both “file_deleter.ps1” and “AI_4ECB.ps1” are the same file, with sha256 80C274014E17C49F84E6C9402B6AA7D09C3282ADC426DA11A70A5B9056D6E71D. They are used to clear out the ADV directory once the final payload is delivered.</p><p><br /></p><p>The “aipackagechainer.ini” file shows the installation and execution parameters:</p><p><br /></p><p>[GeneralOptions]</p><p>Options=bh</p><p>DownloadFolder=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\</p><p>ExtractionFolder=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\</p><p><br /></p><p>[PREREQUISITES]</p><p>App1=4.4.7</p><p><br /></p><p>[App1]</p><p>SetupFile=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\ADVin\ADV.exe</p><p>Options=ip</p><p><br /></p><p>[PREREQ_CHAINER]</p><p>CleanupFiles=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\ADVin\ADV.exe</p><p>CleanupFolders=C:\Users\admin\AppData\Roaming</p><p>CleanupScript=C:\Users\admin\AppData\Roaming\ADV\4.4.7 New-Files\prerequisites\file_deleter.ps1</p><p><br /></p><p>This shows the MSI installation path and execution chain. “ADV.exe” is the .NET downloader that will be run first, followed by the “file_deleter.ps1” script, which removes the installation files.</p><p><br /></p><p>Hashes (md5, sha-256)</p><p><br /></p><p>2c84d115a74d2e9d00a14f19eb7f8129</p><p><br /></p><p>2843582FE32E015479717DA8BF27F0919B246A39495C6D6E00AC7ECA8B1D789C</p><p><br /></p><p>File Name</p><p><br /></p><p>ADV.exe, App.exe</p><p><br /></p><p>File Size</p><p><br /></p><p>47104</p><p><br /></p><p>Created</p><p><br /></p><p>2039-08-06 15:13:14 UTC</p><p><br /></p><p><br /></p><p>“ADV.exe” checks ipinfo[.]io for a geolocation in Mexico with the obfuscated function below. If MX is not in the response string then the downloader exits.</p><p><br /></p><p>Figure 4: Function checking for Mexican geolocation</p><p><br /></p><p>The rest of the downloader’s execution deobfuscates strings and then downloads content from hxxps://trapajina[.]com/516. The file is saved as “kaje.zip”. “Kaje.zip” is decompressed into the final payload, “chancla.exe”.</p><p><br /></p><p>All payloads utilize the user_agent “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;)”.</p><p><br /></p><p>“Chancla.exe” can also be found at hxxps://dulcebuelos[.]com/perro516[.]exe.</p><p> </p><p><br /></p><p>AllaKore RAT</p><p>AllaKore RAT, although somewhat basic, has the potent capability to keylog, screencapture, upload/download files, and even take remote control of victim’s machine.</p><p><br /></p><p>Hashes (md5, sha-256)</p><p><br /></p><p>aa11bedc627f4ba588d444b977880ade</p><p><br /></p><p>6d516a96d6aa39dd9fc2d745ea39658c52ab56d62ef7a56276e2e050d916e19f</p><p><br /></p><p>File Name</p><p><br /></p><p>chancla.exe</p><p><br /></p><p>File Size</p><p><br /></p><p>7696896</p><p><br /></p><p>Created</p><p><br /></p><p>2023-09-15 07:26:42 UTC</p><p><br /></p><p>Copyright</p><p><br /></p><p>CreatiUPRPS Win Service</p><p><br /></p><p>Product</p><p><br /></p><p>CreatiUPRPS Win Service</p><p><br /></p><p>Description</p><p><br /></p><p>CreatiUPRPS Win Service</p><p><br /></p><p>Original Name</p><p><br /></p><p>CreatiUPRPS Win Service</p><p><br /></p><p>Internal Name</p><p><br /></p><p>CreatiUPRPS Win Service</p><p><br /></p><p>File Version</p><p><br /></p><p>3.4.0.0</p><p><br /></p><p>Comments</p><p><br /></p><p>CreatiUPRPS Win Service</p><p><br /></p><p><br /></p><p>“Chancla.exe” is the threat group’s modified version of AllaKore, which contains the following functionalities besides those originally found in the open-source AllaKore RAT:</p><p>Additional commands related to banking fraud, targeting Mexican banks and crypto trading platforms.</p><p>Reverse shell through command <|RESPUESTACMD|>.</p><p>Clipboard function through commands <|CLIPBOARD|>, which only executes Ctrl+C, and <|PEGATEXTO|> “grab text”, which copies content by executing the shortcut Ctrl+C. It can then paste copied content via the shortcut Ctrl+V.</p><p>Downloads and executes files, providing an easy way for the RAT to become a loader and install additional components not hard-coded in the malicious binary.</p><p><br /></p><p>Figure 5: PEGATEXTO function</p><p> </p><p><br /></p><p>Figure 6: Descarun function</p><p><br /></p><p>This sample utilizes uperrunplay[.]com as the C2 with the same URL as previous campaigns, using as endpoints “license.txt”, “license2.txt”, and “registrauser.php”. At the time of writing they pointed to the following:</p><p><br /></p><p>license.txt: version_400_https://domain[.]com/perro516[.]exe is a placeholder for AllaKore RAT itself; when pushing for new versions, the threat actors changed the domain to dulcebuelos[.]com.</p><p>registrauser[.]php is the C2, which is used for communication with the RAT.</p><p>license2.txt: http://23.254.202[.]85/Chrome32[.]exe</p><p>Chrome32.exe (SHA256: 0b8b88ff7cec0fb80f64c71531ccc65f2438374dda3aa703a1919ae878f9eb67) is a Chrome extension that blocks access to URLs starting with enlaceapp[.]santader[.]com[.]mx/js/vsf_generales/.</p><p><br /></p><p>Figure 7: Chrome extension blocking rules</p><p><br /></p><p>Network Infrastructure</p><p>The network infrastructure is not obfuscated in any way other than regular domain updates. The majority of servers used in this campaign are purchased through Hostwinds, while the domains are registered through eNom LLC.</p><p><br /></p><p>Domain</p><p><br /></p><p>Type</p><p><br /></p><p>First Seen</p><p><br /></p><p>Last Seen</p><p><br /></p><p>flapawer[.]com</p><p><br /></p><p>C2</p><p><br /></p><p>2023-12-13</p><p><br /></p><p>Active</p><p><br /></p><p>chaucheneguer[.]com</p><p><br /></p><p>C2</p><p><br /></p><p>2023-10-27</p><p><br /></p><p>Active</p><p><br /></p><p>hhplaytom[.]com</p><p><br /></p><p>C2</p><p><br /></p><p>2023-10-05</p><p><br /></p><p>Active</p><p><br /></p><p>zulabra[.]com</p><p><br /></p><p>C2</p><p><br /></p><p>2023-04-29</p><p><br /></p><p>Active</p><p><br /></p><p>uperrunplay[.]com</p><p><br /></p><p>C2</p><p><br /></p><p>2022-11-08</p><p><br /></p><p>Active</p><p><br /></p><p>uplayground[.]online</p><p><br /></p><p>C2</p><p><br /></p><p>2021-05-12</p><p><br /></p><p>2023-04-28</p><p><br /></p><p>praminon[.]com/519</p><p><br /></p><p>Delivery</p><p><br /></p><p>2023-12-23</p><p><br /></p><p>Active</p><p><br /></p><p>trapajina[.]com/516</p><p><br /></p><p>Delivery</p><p><br /></p><p>2023-10-07</p><p><br /></p><p>Active</p><p><br /></p><p>zaguamo[.]com/500</p><p><br /></p><p>Delivery</p><p><br /></p><p>2023-05-10</p><p><br /></p><p>Active</p><p><br /></p><p>pemnias[.]com/433</p><p><br /></p><p>Delivery</p><p><br /></p><p>2023-05-10</p><p><br /></p><p>2023-10-16</p><p><br /></p><p>isepome[.]com/435</p><p><br /></p><p>Delivery</p><p><br /></p><p>2023-02-03</p><p><br /></p><p>Active</p><p><br /></p><p>narujiapo[.]com/435</p><p><br /></p><p>Delivery</p><p><br /></p><p>2023-05-30</p><p><br /></p><p>Active</p><p><br /></p><p>manguniop[.]com/422</p><p><br /></p><p>Delivery</p><p><br /></p><p>2022-06-06</p><p><br /></p><p>2023-06-06</p><p><br /></p><p>debirpa[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>2023-05-02</p><p><br /></p><p>Active</p><p><br /></p><p>dulcebuelos[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>2023-03-15</p><p><br /></p><p>Active</p><p><br /></p><p>iomsape[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>2023-02-03</p><p><br /></p><p>Active</p><p><br /></p><p>bstelam[.[com/431</p><p><br /></p><p>Delivery</p><p><br /></p><p>2022-08-06</p><p><br /></p><p>2023-08-05</p><p><br /></p><p>rudiopw[.]com/430</p><p><br /></p><p>Delivery</p><p><br /></p><p>2022-06-29</p><p><br /></p><p>2023-06-26</p><p><br /></p><p>ppmunchi[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>2022-05-18</p><p><br /></p><p>2023-06-30</p><p><br /></p><p>pelicanomwp[.]com/422</p><p><br /></p><p>Delivery</p><p><br /></p><p>2022-04-29</p><p><br /></p><p>2023-04-29</p><p><br /></p><p>andripawl[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>2022-04-03</p><p><br /></p><p>2023-04-19</p><p><br /></p><p><br /></p><p>All of the C2s utilize the same HTML and favicons, and are traceable with the following MMH hashes:</p><p><br /></p><p>http.html_hash:1125970204</p><p>http.favicon.hash:-2055641252</p><p><br /></p><p>IP Match MMH</p><p><br /></p><p>192.119.99[.]234</p><p><br /></p><p>192.119.99[.]235</p><p><br /></p><p>192.119.99[.]236</p><p><br /></p><p>192.119.99[.]237</p><p><br /></p><p>192.119.99[.]238</p><p><br /></p><p>23.236.143[.]214</p><p><br /></p><p>23.254.138[.]211</p><p><br /></p><p>23.254.202[.]85</p><p><br /></p><p><br /></p><p>Aside from a short resolution of uperrunplay[.]com to 23.236.143[.]214, these C2 are also hosted on Hostwinds servers. </p><p><br /></p><p>All delivery servers are hosted on 23.254.136[.]60 and utilize ZeroSSL certificates. The server has been used for delivery purposes since 2022-04-03.</p><p><br /></p><p>BlackBerry telemetry shows that remote desktop protocol (RDP) access to C2 servers is accomplished via express-vpn and mullvad-vpn, in addition to the use of Starlink IP addresses located in Mexico. The large number of Mexico Starlink IPs and long timeframe of connections indicate the geolocation of the threat actor is likely Latin America.</p><p> </p><p><br /></p><p>Targets</p><p>This threat actor is specifically targeting Mexican entities, especially large companies with gross revenues over $100M US. All lures have utilized legitimate and benign Mexican government resources, such as the IDSE software update document “guia_de_soluciones_idse.pdf” and the IMSS payment system SIPARE.</p><p><br /></p><p><br /></p><p>Figure 8: IDSE PDF header used as a lure</p><p><br /></p><p>During the installation process, the .NET loader confirms the Mexican geolocation of the victim through IP location services, before proceeding to download and deploy the RAT.</p><p><br /></p><p>Targeting is indifferent to industry, as we saw targeted entities across Retail, Agriculture, Public Sector, Manufacturing, Transportation, Commercial Services, Capital Goods, and Banking industries. The actors are most interested in large companies, many with gross revenues over $100M USD. We know this because the lures used only work for companies that are large enough to be reporting directly to the Mexican government’s IMSS department.</p><p><br /></p><p>Function naming inside the RAT imply specific targeting of banks residing in Mexico. Prefixes to those names explicitly reference six Mexican banks and a Mexican crypto trading broker.</p><p><br /></p><p>Attribution</p><p>The targeting of Mexican entities by this threat actor has been ongoing since at least late 2021. In December of 2021, Mandiant released an investigative report about FIN13, where they state that only two financial actors that they know of limit their targeting to one single country over a timeframe of multiple years. Only 14 of the financially motivated groups they track persist for longer than one year. These statistics point to this actor being unique in its persistence and regional targeting.</p><p><br /></p><p>Custom functionality built into the RAT gives its operators specific fields to paste credentials and data related to their target’s banking infrastructure. This implies a segmented operation, where operators utilize the RATs to upload victim data to the C2 server in a specific format. That can then be used by the malicious individuals in charge of conducting fraudulent banking actions to take further action.</p><p><br /></p><p>Function naming in Spanish, and Mexican Starlink IPs accessing RDP ports of the C2 indicate that this actor group is mostly likely located in Latin America.</p><p><br /></p><p>Conclusions</p><p>This threat actor has been persistently targeting Mexican entities for the purposes of financial gain. This activity has continued for over two years, and shows no signs of stopping.</p><p><br /></p><p>The number of sightings from within BlackBerry’s own internal telemetry, and the vast number of sample submissions to VirusTotal (the majority submitted from within Mexico itself), point to an extremely active group targeting any large Mexican company they can contact, with the hope of exfiltrating financial information.</p><p><br /></p><p>APPENDIX 1 – Indicators of Compromise (IoCs)</p><p>File IoCs</p><p><br /></p><p>sha256</p><p><br /></p><p>Type</p><p><br /></p><p>94489764825f620e777a34161d0ce506a49eec20bc27c3d63370e493a737d50e</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>884789b63fe432938e1bb76c9976976c1905b74c2974340a60eb7ea8261d48fb</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>b18e0c7c9569b33187e2beaf3318e99b50ed40c54e7dee8a26ce711bc782b150</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>4085c9829e2b18fd4721688dc25c0611f260b6e4f827b667999d9603cfe5e2d7</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>66f5b7ca8760fb017b0750441707c24eaa916d5b8aa021b3aa92082c6129ca22</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>0a3aa8c2485a3b8525f044f33c6d268ab79e1942885792d95f6a1c0c45be6106</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>84a468a25a8c65dac51f520732d2e9e6afa6b59e4b2f485c262a9bd305cd61c0</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>9402128b9602fbb485be887def8cd72c3265cd09f6dbf4e0a3ad2ea42da66870</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>e4a6be2fb70603f1545641240680b44e21b5601e8016c0d144711423eef9778e</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>d5ac0f4efa8396ae9ba74cc3ea2a62485e4d49a930efed0d69b043162bb66cc2</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>d63447877be48156032cc9ec9def7e25d62e7bc544bd3e19da75c0f55e09dcc0</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>7bb22d7013dede7b866ab25cbe32246228c46bd8a951b5a72557b7280ebb066f</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>2867d87bbc088b8cc50ff66f1d9c064cba978433cdb900649bbbb44370f8cbd1</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>b00fee1c275d12a05ca8a06ab54ffac2e3e8da68fd2be450f34c36c8a38e4887</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>e7e2a6fe7325ad7945a6020202ab5581e0a204f8b8ad9ffc48c18f129a6f8c46</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>42f1d24e135b9d3e4fd38e1ec3ab20cae495ec3526ae4037d937c6344914e923</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>88a9e666d4231a98a909ae5780778b85ffdb8a5207b8f7dfca2a0911cc0f6580</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>872c58b72962c1f0696b26563425c6734cc2246d1ea3375f675c1bd1ca915e59</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>49de6df83c5fe55c4e45b5744203513832f0435dbbd7913a3ce7f827afe51236</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>0eb20898a0a3c1f4a4210a819fa0bd8f8574db3413db8b85e381ab0c1963791a</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>d928ce7383d8582163c36773d1d97360a5ded812d11ee0faf99c7afa78251850</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>8a1381a829776220ec4bf0a9d36cf6842a5638b0190e667ee696bab04b8e7c9f</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>0835d21b60e3443892988d675f20393d79503ca6e37a889d9f7da19c321b3426</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>4276b4b4504edff275a4d56b99f66b23c48b49f4081abab36bf4d8f88818e2da</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>8cc14643ec452aa35e709ae34b874e0f070a20b174e7eeb2a046351a329cdde9</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>0eeb357abcd3864538dc26000f3a1d706c2c330fadfb845f7fc350b382d00c4e</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>61037a3321e143d85cdf77abf31f33ca5a701da0b84cef172bcf89457dfb4e7d</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>0324d8ed29829e5fa7add2bab1e73f2ad0094e80867caf57d35369a5e22fe79c</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>2444dd2bb0a0fa0631935ddeb829b753d1ba46c9149ee45f79794903f26e16fa</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>19d357351a29f6530624556bd31c475d56ea9ad76f31eb28f7d251fa3c751d62</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>da0b73d2f42f0232762f7c8d3eaa6863969f1982b798cd9fc19431c901ae4635</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>2843582fe32e015479717da8bf27f0919b246a39495c6d6e00ac7eca8b1d789c</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>b1489b216fb25bcf57329546c160800645c0a6620add3c8323e2b589d7150e9e</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>a72018420f8aab9cb431d120bfa06acd09d777a88aa186ec495dffdc22395f0e</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>2a0d1c7354b43acd6fd0303beb6277db92691f03e37baea0c39249ae0d8b5301</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>906d49817970955847f64d2f868e418579549e9cfa91c575f38342a1bd66ad4b</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>e01b10fc4131b8eec32148e559b95fd82da817166b831ae32a0fa89be883e8e9</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>08f0954be207eaa1a85cdc9eed4ad2737613bbbf240a7c30b658b583c3ddef0c</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>3499e5bd9daad587e05337bae5e953f279ebee20d9cf6d2a1707be28ce6295bf</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>1230b1a189b17a4da79bc10bde0fbb439c37997c8f927d4a80c61b006d8b3267</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>17213aa5a43fcf6a6baf5e784f33411cd0fa3a2fb00418486085c5a24695af7c</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>c86f9d739ea3c6b57fd070892be9d1d4b3c50fca8a8c3e05cf84875378fcc649</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>b61c027adcef5d2108dc13735cef5d4bce295f13de6032f3fee5129be74816b6</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>968f90a4567cdf67885c116379c792b4eeda1f7f8bd2cf34daf8c58b17f2ec0f</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>a65091e8912e4b65458041f866d37410b46e7a9432a57e0d7dc01ca4a21f3940</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>bf3e96bb6273890f48b566e9d484e0e747e8f21e3dbd6606a39edf98faedc7b1</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>6d3a50a354bcf2df226ce1065563755b3ab16d2e440900e3b80a9f0571c0f73a</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>da61eb41bffd50a07793ccc8b2ead76f5c49313445f07aa685c28523bbf39a00</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>caa7ef0b9a6ea51752813b7107348f46a3475acf9b3f1242e675f6a1296ccb2c</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>eaf26e1d12e0ae355441499bdf9d13c582540f3876bddfdef95c676f185609b8</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>cee2730a6e4100e3b865cb6fee41f77ec5a8bfce186b1e121ebb4236cd3dff88</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>e1246fbac51f8369292aec96270dd4b2a62fd148d9b6f2ca8ee208631237a44f</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>f292911c11a15001ca66e90df341f8763d4d149482f06f85cc2873651d205a6b</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>8d4d672eeba756c7ace20aea90219c8f7409b23ecc9c2eb47a31b1cd2d3577a6</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>7474cd11f62a53f0f3035fb62753561067cd771ec3e5d73823e74d4f4b8d31cb</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>74f637b21f7c68e6d56f0d64378336b28f500d82d4eb876d5b1cbbfe3a952ac2</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>bbd94254223f4ec3edbcc44c5d6d5ae5029c8d9c4512f02d3c61d2a28c3c5416</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>31e060d82ef68613d26b5e47c3934d482fc2975dad71fa6e677900cc8a938116</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>55455d2488d127fc7bb6976821c36ad5661a5e57e2d57dcc7ae7cb12ba7282d3</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>301f27dc88655927ce45b0c1138b4931b0d3aa7dcfdd424315d5c7339c540e52</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>5c1306596589d0b0c0f0d04be6687e5c2dbe92fbba493760b0ded7a47942fbb1</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>bc81f08ad4c543a35f899da8d45787751b50d221d67dae083d62097631ace059</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>582aa139fb1c315f68106cc2e50c10835874e8bc77aeb7302453f9aa3c25d920</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>7bced78c519befdb1b7ef3b973250f4ee2d3c2404309cea372df16b8ff5b1d84</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>8185e9784adfd6c2f1a286a724e7e374008667ae1f50cfa1a58451a5c33af536</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>05d0dd9916646c6144506bb26cab500d807ab015609bd19634e890fbeb63e48f</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>f8262a0c746bbfbb3e7cb17398953cd8391cdf416b759d4be1f1fc11611f4eb3</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>14f15b1d7951f078bbf412bb2ef774c812efff70280b86b8176994374c0e766d</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>ec1ea0b01ad6cd431c8441dc83537c3d9ef00994f9dd76a3041ff50c2526ce38</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>53e196f293b4f99face97449d18106f7dc9df5b9170354d1c1da27f9ec71849c</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>a20672a07f3cf2e67682486c1a2b6684e9a50ca129260a74353d1664be25aa92</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>cdf35bb3a256d4bd4e09a2a9b19e4682a3952233c720e37d9ae88e4050b8473a</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>b9ea5ecbda6abd328bd7370d250fa9ab5a38a104955ac383cecee8ce581b9d80</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>933858679466d57b4ea47003f08d864b1a417d7be75008e42ecd62f05dde7964</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>3ad89c70d77b9fec35bbbac25d3dabca9d6c1fc055b8570a2d34b3af5ac58aef</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>55f1b8346fc2e94791431a237d8a38fb6bb2014380b1905955d12bccb8c24e79</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>c1e18c6a611ccf23971a43fcdc0186d6a3f2bb0ee792140c35fc1e1a34582551</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>225d10a0b3880eebafb327769e39a2484161e21e5d07ddef8fe16b65d2a90113</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>dcea0d579d3d6ab2d29a3665e3e0c3849ccd42abe390b80bf362c79088a1ebbe</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>4865a260754a6a8740a85c40ef4185420334f9b21cc0d865295fdae4bb1e94a4</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>ae192d14a916ecdb55803830eace5ef820b1b520a751b6b689fa9591f6f292bc</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>bdc0a1ad95b1a62ae1e702681949fea485f42d5884aca78df02a64869688192e</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>c625ac5c134a74d84f8ce91504e41af15972ec71c064f7a5d31c588a8ff2c332</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>ea357305411b9c6b27657782e2bb14bc0c18149a7ad4093b30c12b041f785933</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>f76f5c12b81aa6d7fac0eeb4b775004c525ae50ebb049b6f4177417104eb8ef4</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>2be8c01e5ffcabb566212268a63ef3c42db5c57d3e879abe99b06b48ac9bacda</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>46f5ffcc04ea1eaf09cfce1a9329624c85a5c5435d91444a55ce02fceebfd2f7</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>ed7da8aef7dbe652b429d64a918a943c6586e1d4cec353c84663f8b451c09874</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>3c1be333e85f0243cdbcecfd727e86d582569809e2c45fefb64261b473ca1734</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>f0dfa2297df28f64dc38da3a54bbef5c499691a8cf05de0f08e20f4f7077e67c</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>40fc64907dcd0063e5f2b604fe78d0484d821cb9cda199d3cdca5e0219b43587</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>fc39aa0d2486c746f9b8d4d459a65517a21f961fb24ec25c4470f0b86e8c7cae</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>4bfa7c32d9eb8f7468a1919dbf9698e971052c091de4b66b125ba18b04bbe607</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>d8e22f8b5964428b4a29e5aad9ec9186bd96e7d29bc56ede8821a24294629931</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>bc3fcaa746c261af6b72ee0720fa739d7f79df71709b7067f016e30578f94c22</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>263bc3729f5785acb6647af950f3fe0a0cbbe05d2fcc9639276852ba39ecbaa2</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>f31a6b19572b668dbb473a0e43e53b9c1e5020b057421de8fc019c150ed3fb38</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>ee32169bef700d3dcceb86a101e188e5c0146a1104ee8809d1e031d93cdee36c</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>9946fb2e81d07ad7780a20cf06b59bd27177c8bd6ed543e13089c47957adab1a</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>c5a4bf56670d51fed1e88050eddb003f39af0e22fbb01163679fef758b000392</p><p><br /></p><p>.NET Loader</p><p><br /></p><p>4524d47ca7b7d71764f12807fd3722e4b890388eb2f5bf975d58c6afd0221fb3</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>8e2fc9de5da07a6cf6cfeb3349185e282cec5eed944cb66873136bd697389516</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>2f9f289224482204b0f3bb4f0af8fe99f235daea99fe435cbc53dcbb9bc22bb0</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>434ec6d3575f72e680a8bf9211b3a853d80457644ff01d7acc41657b9bfdca24</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>eee76b24be7121434ec7ad1ca39792cbfec594916f8e143fad18698955ba0870</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>81c5b7940a69854c72cb99d4af6a1092f0adc9182e9e8fd729b1857126d096ba</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>70d6cf1d106783bced15e4bd31b91a6be8ae9d9746955da60cfdf1cb1f9dbf7d</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>77607c0a0a1dcaa4f1ba27e17d5eba5d79fbbf64e1e71b8f4e03a6f724653355</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>80bc99cd883421432e034d0c714d892ecaac6385fd86bd74e9291a736e118f28</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>d48d277f7891ed1e2797d551c1470eae87af7b82746fa8dc2083440c42bcc112</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>71a106f9fbce3e5b48baaacc250beb292cbc0c63190c3ae390f69c17e0be5465</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>c9c18f3eb35b9359c52737e12c35701401867b91aad0ca17822e8a82fce46001</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>9cbf221cfb8fe33c0a3e352742c8b9b931fef5b5c6a07e33cdeebe97b6113622</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>335b69874aff8bc4c45404917fb34523c7205854a979a5293b40d0b2aa52ed89</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>6eed0ff8083a07cf43850e74a9667267613783721834c7593338f888b419ca47</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>5925f48a5b1abc6d25858bf7d3cfc4ec98991ecc5fddebe79b80c29789a2f5fe</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>a6fbcc0b368109a964e55869969d33db7287726b2e0dbf46bdcaa91f6adc1edb</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>98f7bda5f3c4d7f845b6812d774765907b7b943b7d97386c1a8135c2051b2225</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>8a444480e1a313ce35b3535c8df8f5511817e57897e7b5de0e36b5973c21fb82</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>a8f7253907eb8ab7021c58cc8a03c32f33d4a3a86494b9198b68cec3219a968c</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>aeda5536fe7239843130547c677d2094883fd45aafeffb91c196c9b12c36232b</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>750baeecb35d18010fbdfd0c90ecd4be3083a51b39837f596f0887bfd294e170</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>28107b1104bb5fd61d49b64460a0f1f75c664930b251849361783cf60d518c7d</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>56f7283604960cca96200e5da47dd6a4408086a77973f96ca230b2a583545cd8</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>490bd1a59cb2d43828c301d943b7c6a848f2b70d901d69234ccc7c88db8f8ca7</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>44339460d0dfe01d68c10c9a084f1d4530b0c135d6be55bcbc8666822b454f3f</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>39be7067ccedfac84b9ff7d15bc6297d8d8637357aaa4b68286ed8af2e65a2e7</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>4edc594040c0a3b0dfa5b343d1f000271b0e6d3bd3f29988c360735c6ffd9fc0</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>9103f43dcf834b696ff3f6f4ea58dc0bdf14e1483f91420313157bb1a41ba76b</p><p><br /></p><p>MSI Installer</p><p><br /></p><p>13d88bcf312896fae6d03d59c564bc9521e0916096098cfe41508395955aab0e</p><p><br /></p><p>AllaKore</p><p><br /></p><p>168ac972b7f0610f978e50b426e39938f889422b1bcfaf9cddf518e3e1ed9aa9</p><p><br /></p><p>AllaKore</p><p><br /></p><p>2ff3cdb886b1caf3eaad9a2467bfa16b9269b88695b76bb6a0da481458e30aa3</p><p><br /></p><p>AllaKore</p><p><br /></p><p>305cde85573131949fab5a3973525a886962c4f8c02558d3a215689a49f53406</p><p><br /></p><p>AllaKore</p><p><br /></p><p>33578228c11ad0b3d86a198a32b602aa93a91d2feeae2fb2e83f8c6595c8acd9</p><p><br /></p><p>AllaKore</p><p><br /></p><p>422c9471c29fe17457e142df1a567c273212019eb20b0b4783891c529c1248a8</p><p><br /></p><p>AllaKore</p><p><br /></p><p>46c14c2f0d04710f53db16473877d3315c13e1a33a3236846a87e8f91808c8eb</p><p><br /></p><p>AllaKore</p><p><br /></p><p>49a04f31e49cee3ae65e9d776bc0f8aedf40c52fafcd002ccf7de4044abec2dd</p><p><br /></p><p>AllaKore</p><p><br /></p><p>52134d02cd77f8a65fd5b15c7c57ff2909ac39f0b5779592c533a18bf6b23879</p><p><br /></p><p>AllaKore</p><p><br /></p><p>5961b42f8efad58c437bdad862a0337c6bcd57f7cbf35184f2de60f4609fd477</p><p><br /></p><p>AllaKore</p><p><br /></p><p>673d4fe6f9e46fae37649c525f1d0d89cfd3b8310210dff4ddc7349418d9e80f</p><p><br /></p><p>AllaKore</p><p><br /></p><p>6d516a96d6aa39dd9fc2d745ea39658c52ab56d62ef7a56276e2e050d916e19f</p><p><br /></p><p>AllaKore</p><p><br /></p><p>89206ca169747d4aa70d49350415f21df7f1a00a3bf8d0c253b6beda2eb919d9</p><p><br /></p><p>AllaKore</p><p><br /></p><p>8fce1d24cf952528169f473b9462724482511615ed31165710e5e3a74cefdd02</p><p><br /></p><p>AllaKore</p><p><br /></p><p>911e45d053bdf3a41e812203ae29db739cf3505a4e37209936c1cc83ee42e8e9</p><p><br /></p><p>AllaKore</p><p><br /></p><p>9221470c77b46bcd457951ae3a3d31d60ad4602ea9d152d51d1e4f9a5b3bca3a</p><p><br /></p><p>AllaKore</p><p><br /></p><p>a5af60355c423fa4cc9695b86a5697f847259eaee724065162d303cc4523d447</p><p><br /></p><p>AllaKore</p><p><br /></p><p>b858d451804a641fc51dd6d3c50668d6a08dc9033252aee52f582264a970cff8</p><p><br /></p><p>AllaKore</p><p><br /></p><p>bc423bd9acd7c5a1f2849091f21de5429f2fc79e2655f92866e1c8b7b1f96f7e</p><p><br /></p><p>AllaKore</p><p><br /></p><p>c778739c5214aa580cba05f01afe2d9fc8f12d3fa7ad864a279bcb4ad6d266b4</p><p><br /></p><p>AllaKore</p><p><br /></p><p>cde045a0269a5a05928128c6ca7c030947f96034c9204e2b747a0d626e3f22f3</p><p><br /></p><p>AllaKore</p><p><br /></p><p>e2d82ab6cc71a1d8d2a2ba2312b0d8a4a3d23e3902d5b180383d9e406097a9ff</p><p><br /></p><p>AllaKore</p><p><br /></p><p>ee772e1260c6adc532bed57cacdbb6e0b8db311996074ad42eaf1aefd243187a</p><p><br /></p><p>AllaKore</p><p><br /></p><p>eecc201c80809b636d945aa537b954dd2e39382c36067a040a672167a1257a09</p><p><br /></p><p>AllaKore</p><p><br /></p><p>fba031543c3ab694a09e603a7df6417f93742f0b87f9fedaf9ab84d11340ccb5</p><p><br /></p><p>AllaKore</p><p><br /></p><p>fd8c49d00effa8bc730e06ae217655a430ba03122ca974945d41642299853dfa</p><p><br /></p><p>AllaKore</p><p><br /></p><p><br /></p><p>Network IoCs</p><p>IoC</p><p><br /></p><p>Type</p><p><br /></p><p>flapawer[.]com</p><p><br /></p><p>C2</p><p><br /></p><p>chaucheneguer[.]com</p><p><br /></p><p>C2</p><p><br /></p><p>hhplaytom[.]com</p><p><br /></p><p>C2</p><p><br /></p><p>zulabra[.]com</p><p><br /></p><p>C2</p><p><br /></p><p>uperrunplay[.]com</p><p><br /></p><p>C2</p><p><br /></p><p>uplayground[.]online</p><p><br /></p><p>C2</p><p><br /></p><p>192.119.99[.]234</p><p><br /></p><p>C2</p><p><br /></p><p>192.119.99[.]235</p><p><br /></p><p>C2</p><p><br /></p><p>192.119.99[.]236</p><p><br /></p><p>C2</p><p><br /></p><p>192.119.99[.]237</p><p><br /></p><p>C2</p><p><br /></p><p>192.119.99[.]238</p><p><br /></p><p>C2</p><p><br /></p><p>23.236.143[.]214</p><p><br /></p><p>C2</p><p><br /></p><p>23.254.138[.]211</p><p><br /></p><p>C2</p><p><br /></p><p>23.254.202[.]85</p><p><br /></p><p>C2</p><p><br /></p><p>23.254.136[.]60</p><p><br /></p><p>Delivery</p><p><br /></p><p>trapajina[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>narujiapo[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>zaguamo[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>debirpa[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>isepome[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>iomsape[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>pemnias[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>bstelam[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>rudiopw[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>manguniop[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>ppmunchi[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>pelicanomwp[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>andripawl[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p>dulcebuelos[.]com</p><p><br /></p><p>Delivery</p><p><br /></p><p><br /></p><p>APPENDIX 2 – Applied Countermeasures</p><p>Yara Rules</p><p><br /></p><p>rule MX_fin_downloader_kaje_decode_func {</p><p><br /></p><p>meta:</p><p><br /></p><p>author = "BlackBerry Threat Research & Intelligence Team"</p><p>description = "Locates .NET function that deobfuscates kaje filename"</p><p>date = "2023-12-19"</p><p><br /></p><p>strings:</p><p><br /></p><p>$s1 = {1A8D??00000125161F6A0658D29C25171F620659D29C25181F6B0659D29C25191F660659D29C0B}</p><p><br /></p><p>condition:</p><p><br /></p><p>all of them</p><p><br /></p><p>}</p><p><br /></p><p>rule MX_fin_downloader_elearnscty_string {</p><p><br /></p><p>meta:</p><p><br /></p><p>author = "BlackBerry Threat Research & Intelligence Team"</p><p><br /></p><p>description = "Locates unique strings to the MX fin .NET downloaders."</p><p><br /></p><p>date = "2023-12-19"</p><p><br /></p><p>strings:</p><p><br /></p><p>//ElearnScty Testing course</p><p><br /></p><p>$s1 = {52 00 57 00 78 00 6c 00 59 00 58 00 4a 00 75 00 55 00 32 00 4e 00 30 00 65 00 53 00 42 00 55 00 5a 00 58 00 4e 00 30 00 61 00 57 00 35 00 6e 00 49 00 47 00 4e 00 76 00 64 00 58 00 4a 00 7a 00 5a 00 51 00 3d 00 3d 00}</p><p><br /></p><p>condition:</p><p><br /></p><p>all of them</p><p><br /></p><p>}</p><p><br /></p><p>rule MX_fin_custom_allakore_rat {</p><p><br /></p><p>meta:</p><p><br /></p><p>author = "BlackBerry Threat Research & Intelligence Team"</p><p><br /></p><p>description = "Find MX fin custom function names and prefixes."</p><p><br /></p><p>date = "2023-12-19"</p><p><br /></p><p>strings:</p><p><br /></p><p>$main = "<|MAINSOCKET|>"</p><p><br /></p><p>$cnc1 = "<|MANDAFIRMA|>"</p><p><br /></p><p>$cnc2 = "<|FIRMASANTA|>"</p><p><br /></p><p>$cnc3 = "<|MENSAJE" wide</p><p><br /></p><p>$cnc4 = "<|DESTRABA" wide</p><p><br /></p><p>$cnc5 = "<|TOKEN" wide</p><p><br /></p><p>$cnc6 = "<|TRABAR" wide</p><p><br /></p><p>$cnc7 = "<|USU" wide</p><p><br /></p><p>$cnc8 = "<|ACTUALIZA|>" wide</p><p><br /></p><p>$cnc9 = "<|BANA" wide</p><p><br /></p><p>$cnc10 = "<|CLAVE" wide</p><p><br /></p><p>condition:</p><p><br /></p><p>uint16(0) == 0x5A4D and</p><p><br /></p><p>$main and</p><p><br /></p><p>2 of ($cnc*) and</p><p><br /></p><p>filesize > 5MB and filesize < 12MB</p><p><br /></p><p>}</p><p><br /></p><p><br /></p><p>APPENDIX 3 – Detailed MITRE ATT&CK® Mapping</p><p>Tactic</p><p><br /></p><p>Technique</p><p><br /></p><p>Sub-Technique Name</p><p><br /></p><p>Initial Access</p><p><br /></p><p>T1189 - Drive-by Compromise</p><p><br /></p><p> </p><p><br /></p><p>Execution</p><p><br /></p><p>T1204 - User Execution</p><p><br /></p><p>T1204.004 - Malicious File</p><p><br /></p><p>Execution</p><p><br /></p><p>T1059 - Command and Scripting Interpreter</p><p><br /></p><p>T1059.001 - PowerShell</p><p><br /></p><p>Defense Evasion</p><p><br /></p><p>T1218 - System Binary Proxy Execution</p><p><br /></p><p>T1218.007 - Msiexec</p><p><br /></p><p>Defense Evasion</p><p><br /></p><p>T1480 - Execution Guardrails</p><p><br /></p><p> </p><p><br /></p><p>Defense Evasion</p><p><br /></p><p>T1070 - Indicator Removal</p><p><br /></p><p>T1070.004 - File Deletion</p><p><br /></p><p>Defense Evasion</p><p><br /></p><p> </p><p><br /></p><p>T1140 - Deobfuscate/Decode Files or Information</p><p><br /></p><p> </p><p><br /></p><p>Command and Control</p><p><br /></p><p>T1105 - Ingress Tool Transfer</p><p><br /></p><p> </p><p><br /></p><p>Command and Control</p><p><br /></p><p>T10171 - Application Layer Protocol</p><p><br /></p><p>T10171.001 - Web Protocols</p><p><br /></p><p>Command and Control</p><p><br /></p><p>T1219 - Remote Access Software</p><p><br /></p><p> </p><p><br /></p><p>Credential Access, Collection</p><p><br /></p><p>T1056 - Input Capture</p><p><br /></p><p>T1056.001 - Keylogging</p><p><br /></p><p>Collection</p><p><br /></p><p>T1113 - Screen Capture</p><p><br /></p><p> </p><p><br /></p><p>Exfiltration</p><p><br /></p><p>T1041 - Exfiltration Over C2 Channels</p><p><br /></p><p> </p><p><br /></p><p> </p>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-76997615735536982302024-01-27T01:49:00.000-08:002024-01-27T01:49:38.232-08:00Akira ransomware gang says it stole passport scans from Lush in 110 GB data heist<h1 style="text-align: left;">Cosmetics brand goes from Jackson Pollocking your bathwater to cleaning up serious a digital mess</h1><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgktvBTmqT5F65K-AGydbsRNGfYZN7BJCPrnEpIkicufjQWPC4iL4xaTmFkPEXli0IusrezZ2DwwT3QltWHA1eCDeWtlJtn6Dg4bHUX8KkPt_qe_fv_0wd8qfvFKglVmPNYR4H-8F41g23XTdVxgWPD9DiABAEVBk5sokuzQplOjJu7mWpx7yCYBkjxFQru/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202024-01-27T152647.988.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgktvBTmqT5F65K-AGydbsRNGfYZN7BJCPrnEpIkicufjQWPC4iL4xaTmFkPEXli0IusrezZ2DwwT3QltWHA1eCDeWtlJtn6Dg4bHUX8KkPt_qe_fv_0wd8qfvFKglVmPNYR4H-8F41g23XTdVxgWPD9DiABAEVBk5sokuzQplOjJu7mWpx7yCYBkjxFQru/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202024-01-27T152647.988.png" width="320" /></a></div><br /><div><br /></div><div>The Akira ransomware gang is claiming responsiblity for the "cybersecurity incident" at British bath bomb merchant.</div><div><br /></div><div>Akira says it has stolen 110 GB of data from the UK-headquartered global cosmetics giant, which has more than 900 stores worldwide, allegedly including "a lot of personal documents" such as passport scans.</div><div><br /></div><div>Passport scans are routinely collected to verify identities during the course of the hiring process, which suggests Akira's affiliate likely had access to a system containing staff-related data.</div><div><br /></div><div>Company documents relating to accounting, finances, tax, projects, and clients are also said to be included in the archives grabbed by the cybercriminals, who are threatening to make the data public soon. There is still no evidence to suggest customer data was exposed.</div><div><br /></div><div><br /></div><div><br /></div><div>Akira's retro-vibe website separates victims into different sections: One for companies who didn't pay the ransom and thus had their data published, and another for those whose data is to be published on an undisclosed date.</div><div><br /></div><div>A likely conclusion to draw, if the incident does indeed involve ransomware as the criminals claim, is that there may have been negotiations which have stalled, with Akira using the threat of data publication as a means to hurry along the talks.</div><div><br /></div><div>The Register approached Lush for comment. Its representatives acknowledged the request but did not provide a statement in time for publication.</div><div><br /></div><div>Lush last communicated about the situation on January 11, saying it was responding to an "incident" and working with outside forensic experts to investigate the issue – often phrasing used in a ransomware attack.</div><div><br /></div><div>"The investigation is at an early stage but we have taken immediate steps to secure and screen all systems in order to contain the incident and limit the impact on our operations," it said. "We take cybersecurity exceptionally seriously and have informed relevant authorities."</div><div><br /></div><div>The statement came a day after a post was made to the unofficial Lush Reddit community. Written by a user who seemingly had inside knowledge of the incident, the post claimed members of staff were instructed to send their laptops to head office for "cleaning" – an assertion that El Reg understands to be true.</div><div><br /></div><div>Akira is better known for its extortion-only MO, which it adopted more recently in October 2023.</div><div><br /></div><div>A recent report from researchers at Sophos revealed that they only responded to a single case that actually led to the deployment of a ransomware payload, and that was back in August 2023. That said, this intel is limited only to Sophos's engagements – other incident response companies may have a different story to tell.</div><div><br /></div><div>Chester Wisniewski, director, global field CTO at Sophos, said today: "It is unclear if this was a ransomware attack or simple extortion as Sophos Incident Response Services has observed this crew to engage in either or both activities with their victims. If it was extortion without an encryption component this could be why there has been no visible external disruption to Lush's operations."</div><div><br /></div><div>Trickbot malware scumbag gets five years for infecting hospitals, businesses</div><div>EquiLend drags systems offline after admitting attacker broke in</div><div>Major IT outage at Europe's largest caravan and RV club makes for not-so-happy campers</div><div>Using GoAnywhere MFT for file transfers? Patch now – an exploit's out for a critical bug</div><div>He added: "Akira is developing into a force to be reckoned with. We first observed them in early 2023 and have seen an increasing number of victims approach our incident response service. They seem to favor attacking vulnerable Cisco VPN products and remote access tools without MFA deployed. While we don't know the cause of Lush's alleged breach this is a great reminder of the importance of expedient patching of all external facing network components and the requirement for multifactor authentication for all remote access technologies."</div><div><br /></div><div>The group is primarily known for targeting organizations in the UK, Australia, and North America, and also its indiscriminate targeting of industries – anyone is fair game for them.</div><div><br /></div><div>According to SentinelOne's insights, Akira also demands "outrageous ransom payments" that can regularly reach US dollar sums in the nine-figure range.</div><div><br /></div><div>Trend Micro's analysis found that the group is run by "highly experienced and skilled operators" and is thought to be one of the many spin-off gangs following the crumbling of Conti in 2022.</div><div><br /></div><div>Blockchain data and the source code of Akira's ransomware payload both pointed to a relationship with Conti, itself a descendant of Ryuk, both of which were considered the most menacing ransomware operations of their times.</div><div><br /></div><div>Akira is also believed to be behind the recent attack on Finnish IT service provider Tietoevry, which has affected a number of online services at Swedish government departments and some of the country's universities.</div></div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-21974345417291566832024-01-27T01:46:00.000-08:002024-01-27T01:46:14.258-08:00Pegasus Spyware Targets Togolese Journalists' Mobile Devices<h1 style="text-align: left;"> An investigation into 2021 intrusions uncovered multiple infections on the phones of journalists in the African country.</h1><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHQs4-ZRYjr_xd4Ay4jxxHyK8-kroydBBD4Bt-PRRJ5_JEzH-W9AWUFW6_cTsLqVgOFDMXs7Q_n40VwK0xXfIgjGPVgS4uWCrptjmtMgnOeoIxJxv2T2Z12aJbIwFF4A1T2dVbMj_cDNHlxl9kn-Jwpkie7Zx0cJJMZ4QLoS1Ovq-CHabF_XAFbQuHQ1CQ/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202024-01-27T152329.210.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHQs4-ZRYjr_xd4Ay4jxxHyK8-kroydBBD4Bt-PRRJ5_JEzH-W9AWUFW6_cTsLqVgOFDMXs7Q_n40VwK0xXfIgjGPVgS4uWCrptjmtMgnOeoIxJxv2T2Z12aJbIwFF4A1T2dVbMj_cDNHlxl9kn-Jwpkie7Zx0cJJMZ4QLoS1Ovq-CHabF_XAFbQuHQ1CQ/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202024-01-27T152329.210.png" width="320" /></a></div><br /><div><br /></div><div><div>Cyberattackers have installed the Pegasus spyware on the phones of multiple journalists in the African country of Togo.</div><div><br /></div><div>According to Reporters Without Borders, the spyware was used by Togo's government until 2021, and there is evidence of at least 23 spyware intrusions — between Feb. 1 and July 10 in that year — on one of the phones used by Loïc Lawson, the publisher of Flambeau des Démocrates, an independent weekly paper in Togo. </div><div><br /></div><div>Freelance journalist Anani Sossou was the target of a similar intrusion on his phone on Oct. 25, 2021.</div><div><br /></div><div>Three other Togolese journalists — Ferdinand Ayité, Luc Abaki, and Carlos Ketohou — were on the list of 50,000 potential Pegasus targets that were identified by an international consortium’s investigation in 2021.</div><div><br /></div><div>Pegasus spyware, produced by the Israeli company NSO Group, allows the controller to access and extract whatever they want from an exploited mobile device, and can intercept and transmit messages, emails, media files, passwords, and detailed location information without a user’s knowledge or interaction. It has been used to monitor other journalists and politicians.</div></div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-45003205579832472072024-01-27T01:42:00.000-08:002024-01-27T01:42:48.609-08:00Therapy Provider Notifying 4 Million Patients of PJ&A Hack<div style="text-align: left;"> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT5pjHL2xRcPb6onAqKdkNjL2QKxtq8pgKS1Wt8r5fp1iCW8BvCt7ZNtdAZs9rONIdjz9IObRdfO04h2420e53ZAA4ntDYkdqpMdXNfBXiON_ceuLETJlU85hwRjWeI5oZ3a1kAQT3tHY9QRvCxcUI2dAYVcpl9g3LoyAFZqp4YmxEG7HfiiBQn1HhxFxQ/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202024-01-27T152000.815.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT5pjHL2xRcPb6onAqKdkNjL2QKxtq8pgKS1Wt8r5fp1iCW8BvCt7ZNtdAZs9rONIdjz9IObRdfO04h2420e53ZAA4ntDYkdqpMdXNfBXiON_ceuLETJlU85hwRjWeI5oZ3a1kAQT3tHY9QRvCxcUI2dAYVcpl9g3LoyAFZqp4YmxEG7HfiiBQn1HhxFxQ/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202024-01-27T152000.815.png" width="320" /></a></div><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;">A Texas-based physical and occupational therapy provider is notifying nearly 4 million patients that they have joined the soaring tally of victims of a data theft incident at a Nevada medical transcription vendor last year.</div><div><br /></div><div>Concentra Health Services reported to the U.S. Department of Health and Human Services on Jan. 9 that the 2023 hack of Perry Johnson & Associates had affected 3.9 million of its patients. The compromise of the medical transcriber appears to have exposed the personal data of at least 14 million patients and counting (see: Medical Transcriber's Hack Breach Affects at Least 9 Million).</div><div><br /></div><div>PJ&A reported the hacking incident to HHS' Office for Civil Rights in November as affecting nearly 9 million individuals. So far, a growing list of organizations have disclosed they are among the PJ&A clients affected.</div><div><br /></div><div>While PJ&A has not publicly named all its clients that were affected by the hack, Concentra, like some other affected entities, has filed its own breach report to HHS OCR, separate from the one submitted by PJ&A. The medical transcriber hasn't disclosed the total number of people affected by the hack in consideration of the separate breach reports various clients have filed on their own to HHS OCR. But that total appears to be at least 14 million individuals, so far.</div><div><br /></div><div>Northwell Health, the largest health delivery organization in New York, was also among several PJ&A clients last fall disclosing it too was stung by the incident, with about 3.9 million patients affected, putting that breach just about tied with Concentra's PJ&A compromise, in terms of the large numbers of patients affected.</div><div><br /></div><div>Another large healthcare provider in New York - Crouse Health - reported that an undisclosed number of its patients had been affected in the PJ&A incident.</div><div><br /></div><div>The PJ&A hack prompted New York's attorney general in November to issue a public warning about potential ID theft and fraud risks facing affected patients in the wake of the incident (see: NY AG Warns of ID Theft Risk in Medical Transcription Hack).</div><div><br /></div><div>Meanwhile, litigation against PJ&A related to the hack continues to pile up. As of Friday, federal court records show that more than 40 proposed class action lawsuits have been filed in recent months against PJ&A, and some of them name the company's various clients as co-defendants.</div><div><br /></div><div>One such proposed federal class action lawsuit complaint filed last week in Nevada against PJ&A and Ohio-based Mercy Health - another medical transcription client affected by the incident - alleges negligence and other claims against the organizations for their failure to safeguard patients' sensitive information.</div><div><br /></div><div>PJ&A faces similar claims in dozens of the other lawsuits, which for the most part all seek financial damages and injunctive orders for the company to improve its data security.</div><div><br /></div><div>In a breach notice posted on its website about the PJ&A incident, Concentra encouraged affected individuals "to remain vigilant against incidents of identity theft by reviewing their account statements, credit reports and explanations of benefits forms for unusual activity and to detect errors."</div><div><br /></div><div>Concentra did not immediately respond to Information Security Media Group's request for additional details regarding the PJ&A breach, including whether any of the therapy provider's patients have reported ID theft or fraud incidents they suspect may be linked to the hack.</div><div><br /></div><div>PJ&A in its breach notice said an "unauthorized party" had gained access to the company's network between March 27, 2023, and May 2, 2023, during which time the intruder acquired copies of certain files from PJ&A systems.</div><div><br /></div><div>This incident did not involve access to any systems or networks of PJ&A's healthcare clients, the company said. Also, the information affected by the breach did not contain credit card information, bank account information or usernames or passwords, PJ&A said.</div><div><br /></div><div>Files affected by the incident contained personal health information of certain individuals, including name, birthdate, address, medical record number, hospital account number, admission diagnosis, and dates and times of service.</div><div><br /></div><div>For some individuals, affected information also includes Social Security number, insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers.</div><div><br /></div><div>Prime Targets</div><div>Medical transcription firms have a number of inherent traits that make them appealing potential targets for hackers, some experts said.</div><div><br /></div><div>First, medical transcription business are known to have "large volumes of detailed, patient-identified data that can be used for a variety of crimes, including fraud and blackmail," said Kate Borten, president of privacy and security consultancy The Marblehead Group.</div><div><br /></div><div>Patients may be subject to scam sales of products related to their diagnosis, or the data can be used to submit fraudulent claims, she said, adding that "patients may be willing to pay a criminal in order to keep medical information secret."</div><div><br /></div><div>Historically, many medical transcription companies were "mom and pop businesses with weak, minimal security and privacy controls in place, making them easy targets," Borten said. And any healthcare business associate that stores or has access to large volumes of detailed patient data is at higher risk of attacks involving data theft, she added.</div><div><br /></div><div>"There are many such 'backroom' business associates that provide services to multiple covered entities. For example, companies that process patient records requests typically have access to most or all of patients' designated record sets," Borten said. This puts these firms in the crosshairs of hackers and other threat actors.</div><div><br /></div><div>"These types of high-risk business associates should be identified by covered entities and upstream business associates and then prioritized for detailed review of their privacy and security policies and procedures," she said.</div><div><br /></div><div>"In some cases, a covered entity may recommend or request improvements, such as a more robust destruction policy, and technical changes such as data segmentation. Business associates should view such recommendation as beneficial to their businesses, in terms of both reducing breach risk and enhancing the company's profile."</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-62767895186831300092024-01-27T01:32:00.000-08:002024-01-27T01:32:58.100-08:00Nearly 800 GoAnywhere instances are unpatched, exposed to critical CVE<h1 style="text-align: left;"> Although patching lags, the number of hosts with publicly exposed and vulnerable admin interfaces are limited.</h1><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg06VYpKZvA35i4JtOa6daYL4zXJAS3hgzEdGyHwwXjQGLTBaBXrs03acV5rTPr-l4FXNwEUTcHYC-wKmMb6BilwVkrMNv3INs5WKC9bGE5iio07P2j-IWEi30Ru8iliRoCSUeUx0WKRkB6dMwX8r3Hv58yCkg0CcaUfcbV_ulHaK-_VjFQjTvi24SNR3se/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202024-01-27T151008.174.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg06VYpKZvA35i4JtOa6daYL4zXJAS3hgzEdGyHwwXjQGLTBaBXrs03acV5rTPr-l4FXNwEUTcHYC-wKmMb6BilwVkrMNv3INs5WKC9bGE5iio07P2j-IWEi30Ru8iliRoCSUeUx0WKRkB6dMwX8r3Hv58yCkg0CcaUfcbV_ulHaK-_VjFQjTvi24SNR3se/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202024-01-27T151008.174.png" width="320" /></a></div><br /><b><br /></b></div><div><div><b>Dive Brief:</b></div><div><ul style="text-align: left;"><li>Nearly 800 instances of Forta’s GoAnywhere MFT remain unpatched and potentially exposed to a critical vulnerability disclosed earlier this week, according to Shadowserver data published Friday.</li><li>While many instances of the file-transfer service remain unpatched, less than 30 are vulnerable to exploits due to admin panel exposure on the public internet, Shadowserver said. Remote access to the administration panel is required for threat actors to exploit the critical authentication bypass vulnerability, CVE-2024-0204. </li><li>Forta released a patch for the vulnerability on Dec. 7, but didn’t publicly disclose the vulnerability with a CVSS score of 9.8 until this week.</li></ul></div><div><br /></div><div><b> C-STORE DIVE</b></div><div>Be the smartest leader in the room</div><div>Stay on the pulse of the latest convenience store industry news and what it means for leaders like you with C-Store Dive’s Daily Dive.</div><div><br /></div><div>Get the Free Newsletter</div><div>Dive Insight:</div><div>GoAnywhere is used by more than 3,000 organizations, but active exploits and widespread exposure from the latest CVE in the file-transfer service have yet to materialize.</div><div><br /></div><div>The critical vulnerability quickly caught the attention of threat hunters and defenders, as multiple file-transfer services including GoAnywhere were broadly targeted in 2023. A zero-day vulnerability in GoAnywhere was widely exploited by the Clop ransomware group in early 2023.</div><div><br /></div><div>Censys on Wednesday observed nearly 170 hosts with publicly exposed GoAnywhere admin interfaces, but said it’s unclear how many are vulnerable to exploits.</div><div><br /></div><div>“Although this isn’t the most extensive level of exposure we’ve encountered, it does raise concerns given the nature of the data stored in these instances,” Himaja Motheram, security researcher at Censys, said in a blog post. “The relatively small number of hosts belies the potential damage that could occur with just one compromise.”</div><div><br /></div><div>The majority of GoAnywhere MFT admin interfaces running on default port settings are hosted in the U.S., according to Censys. More than 3 in 5 of those publicly exposed instances are hosted on cloud networks operated by Amazon, Microsoft and Google. </div><div><br /></div><div>“We expect to see a rise in scanning and compromise of exposed unpatched GoAnywhere MFT instances,” Motheram said. “Patching immediately is crucial.”</div></div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-59065206931047121092023-11-05T06:13:00.001-08:002023-11-05T06:13:19.044-08:00ZDI DISCLOSES FOUR ZERO-DAY FLAWS IN MICROSOFT EXCHANGE<h1 style="text-align: left;"> Researchers disclosed four zero-day flaws in Microsoft Exchange that can be remotely exploited to execute arbitrary code or disclose sensitive information on vulnerable installs.</h1><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAhbHftlS3Qhi90Kkib8lc9BliNyWhNtobYv_eezue_9EZelIFjok0PVGIQWRU-imdpxVHah117TR4y0B9y2Osg0uNfoQ3z9OBjh8bbwukOsbS2bxn_oLt3uDRujtWRa_p2IY50G4Yk4VIn5CK2rYTetdanbQs9KWESRrwkbmXwawh97J9sdR0wDwTZZrL/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-11-05T194922.616.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAhbHftlS3Qhi90Kkib8lc9BliNyWhNtobYv_eezue_9EZelIFjok0PVGIQWRU-imdpxVHah117TR4y0B9y2Osg0uNfoQ3z9OBjh8bbwukOsbS2bxn_oLt3uDRujtWRa_p2IY50G4Yk4VIn5CK2rYTetdanbQs9KWESRrwkbmXwawh97J9sdR0wDwTZZrL/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-11-05T194922.616.png" width="320" /></a></div><br /><div><br /></div><div><div>Trend Micro’s Zero Day Initiative (ZDI) disclosed four zero-day vulnerabilities in Microsoft Exchange that can be remotely exploited by an authenticated attacker to execute arbitrary code or disclose sensitive information on vulnerable installs.</div><div>Trend Micro’s Zero Day Initiative (ZDI) reported the flaws to Microsoft on September 7th and 8th, 2023, but the IT giant has yet to fix them, despite acknowledging the vulnerabilities. ZDI opted to publicly disclose the vulnerability in compliance with its responsible disclosure policy.</div><div><br /></div><div><br /></div><div>Below is the list of flaws disclosed by ZDI:</div><div><br /></div><div><ul style="text-align: left;"><li>ZDI-23-1578 – Microsoft Exchange ChainedSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability – This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the ChainedSerializationBinder class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.</li><li>ZDI-23-1579 – Microsoft Exchange DownloadDataFromUri Server-Side Request Forgery Information Disclosure Vulnerability – This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the DownloadDataFromUri method. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to disclose information in the context of the Exchange server.</li><li>ZDI-23-1580 – Microsoft Exchange DownloadDataFromOfficeMarketPlace Server-Side Request Forgery Information Disclosure Vulnerability – This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the DownloadDataFromOfficeMarketPlace method. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to disclose information in the context of the Exchange server.</li><li>ZDI-23-1581 – Microsoft Exchange CreateAttachmentFromUri Server-Side Request Forgery Information Disclosure Vulnerability – This vulnerability allows remote attackers to disclose sensitive information on affected installations of Exchange. Authentication is required to exploit this vulnerability. The specific flaw exists within the CreateAttachmentFromUri method. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to disclose information in the context of the Exchange server.</li></ul></div><div>The vulnerabilities have been discovered by Piotr Bazydlo (@chudyPB) of Trend Micro Zero Day Initiative</div></div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-24252274558683094892023-11-05T05:53:00.001-08:002023-11-05T05:53:42.003-08:00American Airlines pilot union hit with ransomware<div style="text-align: left;"> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihMcUxeTnvvn34PFdqLqaXKm42mzAuF4B98Q3czf6uXSPZ0UHKm07esz6mgGNA2C3xTB2gnOWcB4Ytf3tRr2OpVPVDkPTXbWEJprh4bo4JvweyxgV472OakEX_0DQylJWrNC6anwfBGYReZCTMDTt8KvnzeIzXtcxfv3TIw2UBC2lBQq_hqThCGWDWkp1Z/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-11-05T193007.149.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihMcUxeTnvvn34PFdqLqaXKm42mzAuF4B98Q3czf6uXSPZ0UHKm07esz6mgGNA2C3xTB2gnOWcB4Ytf3tRr2OpVPVDkPTXbWEJprh4bo4JvweyxgV472OakEX_0DQylJWrNC6anwfBGYReZCTMDTt8KvnzeIzXtcxfv3TIw2UBC2lBQq_hqThCGWDWkp1Z/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-11-05T193007.149.png" width="320" /></a></div><br /></div><div style="text-align: left;">The American Airlines pilot union is working to restore its systems following a ransomware attack, the latest in a rash of cyber incidents affecting the aviation industry.</div><div><br /></div><div>The union, which represents more than 15,000 of the airline’s pilots, posted a notice on its website explaining it first discovered the cyberattack on October 30.</div><div><br /></div><div>The unnamed cybersecurity firm hired to conduct an investigation confirmed that the union was hit with ransomware and said some systems were encrypted.</div><div><br /></div><div>“As a result, the restoration of those systems has entailed a methodical and time-consuming process for our IT team and outside experts,” it said. “As we work to recover from backups, we are also continuing to assess potential impacts to data, including member data. Investigations of this nature often take time to complete.”</div><div><br /></div><div>The organization's IT team is working with outside experts to restore their systems and noted that efforts “are progressing,” allowing them to soon bring some services back online.</div><div><br /></div><div>“Once the initial restoration is in place, we will continue to restore additional services over the coming hours and days, placing a priority on pilot-facing products and tools,” the union explained.</div><div><br /></div><div>“We are working diligently to be fully operational as soon as possible, while keeping the security of our systems front and center.”</div><div><br /></div><div>In messages on social media, the union said the cybersecurity incident began in the early morning hours of October 30. Some core services were restored throughout the week but the organization will continue to provide updates on their progress.</div><div><br /></div><div>The aviation industry has faced relentless attacks in the last six months. On Wednesday, one of the highest traffic airports in Mexico was hit by a cyberattack and a day later airplane maker Boeing confirmed that it is responding to a cyberattack involving its parts and distribution business.</div><div><br /></div><div>Both incidents were claimed by ransomware gangs. Air Canada and Air Europa have also both dealt with incidents in the last month while European aerospace giant Airbus said in September that it was investigating a cybersecurity incident.</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-53304282778450549762023-11-05T05:46:00.000-08:002023-11-05T05:46:25.428-08:0081K people's sensitive info feared stolen from Hilb after email inboxes ransacked<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxGQET84gnbGVkSc7lR_S20TGl2TOX23cJsMhhHORlPgML4YDpO1i76koqkJ3UiWyqKrWrV4-3PaGySJEMCx0rXfPGECgeuWbkXLjaP34BJASDnKD5yy9Y4QWszqFpLo8iFLd4KmadZRZKYlDSr-NFscAF3evpfY_if0Ri5GaP58FaGVhUr70MQ4zCocnd/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-11-05T192124.432.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxGQET84gnbGVkSc7lR_S20TGl2TOX23cJsMhhHORlPgML4YDpO1i76koqkJ3UiWyqKrWrV4-3PaGySJEMCx0rXfPGECgeuWbkXLjaP34BJASDnKD5yy9Y4QWszqFpLo8iFLd4KmadZRZKYlDSr-NFscAF3evpfY_if0Ri5GaP58FaGVhUr70MQ4zCocnd/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-11-05T192124.432.png" width="320" /></a></div><br /><div style="text-align: left;"><br /></div><div style="text-align: left;"> Hilb Group has warned more than 81,000 people that around the start of 2023 criminals broke into the work email accounts of its employees and may have stolen a bunch of sensitive personal information.</div><div><br /></div><div>The financial biz handles property, casualty, and employee benefits insurance and advisory services at more than 130 locations across 22 US states. The Hilb Group did not immediately respond to The Register's inquiries about the extent of the intrusion nor how the thieves were able to get at such personal info.</div><div><br /></div><div>What details are available are a little vague but worrying. In a notification to the Maine Attorney General's office on Thursday, the biz said miscreants accessed people's first and last names and sensitive financial data and credentials.</div><div><br /></div><div>Specifically, we're told: "Financial Account Number or Credit/Debit Card Number (in combination with security code, access code, password or PIN for the account)." That notification includes a sample letter to those affected by the security breach, which states the stolen data was limited to people's names and Social Security numbers.</div><div><br /></div><div><br /></div><div><br /></div><div>Either way, not a good look for an outfit that claims to help people mitigate and manage risk.</div><div><br /></div><div>Hilb says it discovered "suspicious activity" related to employee email accounts around January 10. After doing some digging, and bringing on a third-party incident response firm, the insurance brokerage determined someone broke into those inboxes between December 1, 2022 and January 12, 2023. Months and months ago, in other words. After that, Hilb said it tried to figure out what data the intruders had access to.</div><div><br /></div><div>"We then began a thorough review of the contents of the email accounts in order to determine the type(s) of information contained within the accounts, and to whom that information related," the security breach notification letter [PDF] stated.</div><div><br /></div><div>It said it completed this review on July 28, and then started locating affected individuals, which took another few months, apparently. And then on October 9, Hilb says, it began sending out letters to 81,539 folks notifying them that their personal and financial data was potentially stolen.</div><div><br /></div><div>Hilb said upon discovering the intrusion it "immediately" secured the compromised email accounts, began a thorough investigation, and "implemented additional technical safeguards to enhance the security of information in our possession and to prevent similar incidents from happening in the future." So that's all right then.</div><div><br /></div><div>The Register will update this story if and when Hilb responds.</div><div><br /></div><div>To compensate for any stolen financial data, the insurance group is offering affected folks the usual free credit monitoring and identity protection services.</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-29482618060371961402023-11-05T05:39:00.000-08:002023-11-05T05:39:14.850-08:00Dutch hacker jailed for extortion, selling stolen data on RaidForums<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivdmTvbrz2_kDTEB-te_DLt8yjBAX0ME4cG7A_K-eENW8_gUicEx53hRbaR-3D7Ve7aPZM0DLvsb7fUGO3ECL9eG3qaXau0HS_1eTuQPxsVBdz4zSRf8DJFwbADbjJs_5LmOwZ171ITv76ytJvJzyTHnM0xSp-jq8Bu3nI6f3rW0ucUM-Oek8dktGGfpOG/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-11-05T191444.824.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivdmTvbrz2_kDTEB-te_DLt8yjBAX0ME4cG7A_K-eENW8_gUicEx53hRbaR-3D7Ve7aPZM0DLvsb7fUGO3ECL9eG3qaXau0HS_1eTuQPxsVBdz4zSRf8DJFwbADbjJs_5LmOwZ171ITv76ytJvJzyTHnM0xSp-jq8Bu3nI6f3rW0ucUM-Oek8dktGGfpOG/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-11-05T191444.824.png" width="320" /></a></div><br /><div style="text-align: left;"><br /></div><div style="text-align: left;"> A former Dutch cybersecurity professional was sentenced to four years in prison after being found guilty of hacking and blackmailing more than a dozen companies in the Netherlands and worldwide.</div><div><br /></div><div>The suspect, a 21-year-old man from Zandvoort named Pepijn Van der Stap, has been convicted on multiple charges, including hacking into victims' computers, extortion, and laundering at least 2.5 million euros in cryptocurrency.</div><div><br /></div><div>The court sentenced him to four years of imprisonment, with one year being conditional, accompanied by a three-year probationary period. The verdict follows an extensive investigation conducted by the Dutch Public Prosecution Service, which asked for a six-year prison sentence.</div><div><br /></div><div>Van der Stap, along with his accomplices, was involved in a series of cybercrimes that targeted both domestic and international companies and institutions between August 2020 and January 2023, according to the Dutch Public Prosecution Service.</div><div><br /></div><div>The group resorted to blackmail as a means of extorting large amounts of money from targeted companies, threatening to leak the stolen data online unless a ransom was paid. Additionally, Van der Stap infiltrated various networks, stealing sensitive data from compromised companies and organizations.</div><div><br /></div><div>When searching his computer, law enforcement agents found various malicious tools and personal information stolen from millions of individuals, acquired through hacking, purchases, or exchanges with other cyber criminals, and put up for sale on various hacking forums.</div><div><br /></div><div>The Dutch Public Prosecution Service also revealed that Van der Stap helped other criminals by selling or trading this stolen sensitive data, causing millions in damages to the affected organizations.</div><div><br /></div><div>The investigation into Van der Stap's cybercriminal activity commenced in March 2021 following a report from an Amsterdam-based company. Despite ongoing legal proceedings, not all organizations have reported being targeted and the extent of their losses.</div><div><br /></div><div>Whitehat during the day, cybercriminal at night</div><div>At one point, Van der Stap worked for Hadrian Security and volunteered at the Dutch Institute for Vulnerability Disclosure (DIVD), as first reported by DataBreaches.net.</div><div><br /></div><div>He was also a member of the now-defunct RaidForums and BreachForums, as well as other hacking forums like Sinister[.]ly, HackForums, Leakforums, and Maza, using multiple nicknames, including Espeon, Umbreon, Lizardom, Egoshin, Togepi, OFTF, and Rekt.</div><div><br /></div><div>BreachForums (aka Breached) was seized in June 2023, three months after the arrest of its owner, Conor Fitzpatrick (aka Pompompurin).</div><div><br /></div><div>RaidForums was shut down in April 2022 after its founder and admin, Diogo Santos Coelho, was apprehended in a coordinated action involving law enforcement agencies in several countries.</div><div><br /></div><div>Both were considered the biggest hacking forums before their seizure, with hundreds of thousands of users employing them as online platforms for trading and selling stolen databases.</div><div><br /></div><div>"The majority of my criminal hacking activities took place before I started doing lawful work. I had already started cutting back on blackhat hacking before I started working for whitehat entities. Once I began working in legitimate jobs, I really started dedicating my skills to ethical purposes," Van der Stap told DataBreaches.net in an interview.</div><div><br /></div><div>"For about 16 months before my arrest, I was not engaged in much illegal activity and wanted to get out altogether. But as much as I wanted to get out, it felt impossible at times."</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-8450101653201395402023-11-05T05:30:00.001-08:002023-11-05T05:30:46.399-08:00OKTA CUSTOMER SUPPORT SYSTEM BREACH IMPACTED 134 CUSTOMERS<h1 style="text-align: left;"> Threat actors who breached the Okta customer support system also gained access to files belonging to 134 customers.</h1><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQrfTuXmxOej6ZSgqazmX5b8uKCYpxO4ul6E5H6qNfW1EZ3nqddeZLeEuDRcGvj2aA3pQ-V51eGGKY4ojs4scIVDk70f9gNpBzPg_dWV06SbLhQYSbV74675vFFNZKDh7QRHk4aaTPFlKV31Q5tfY2KVqNW4lNB6C2DkrNQsOwzLpR3zI-euOfcbrW3bVP/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-11-05T190657.960.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQrfTuXmxOej6ZSgqazmX5b8uKCYpxO4ul6E5H6qNfW1EZ3nqddeZLeEuDRcGvj2aA3pQ-V51eGGKY4ojs4scIVDk70f9gNpBzPg_dWV06SbLhQYSbV74675vFFNZKDh7QRHk4aaTPFlKV31Q5tfY2KVqNW4lNB6C2DkrNQsOwzLpR3zI-euOfcbrW3bVP/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-11-05T190657.960.png" width="320" /></a></div><br /><div><br /></div><div><div>Threat actors who breached the Okta customer support system in October gained access to files belonging to 134 customers, the company revealed.</div><div><br /></div><div>Some of the files accessed by the attackers are HAR files that contained session tokens. According to the company, the threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers.</div><div><br /></div><div><br /></div><div>In October, the Cloud identity and access management solutions provider said that threat actors broke into its support case management system and stole authentication data, including cookies and session tokens, that can be abused in future attacks to impersonate valid users.</div><div><br /></div><div>Okta asks customers to upload an HTTP Archive (HAR) file in order to support them in solving their problems and replicating browser activity. HAR files can also contain sensitive data, including authentication information.</div><div><br /></div><div>According to the advisory published by the company, Okta Security has identified adversarial activity abusing access to a stolen credential to gain access Okta’s support case management system.</div><div><br /></div><div>The attackers gained access to files uploaded by certain Okta customers as part of some recent support cases.</div><div>“On Thursday, October 19, Okta advised customers of a security incident. Having finalized our investigation, we can confirm that from September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers.” reads the post published by the company. “Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks. The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom have shared their own response to this event.”</div><div>The three customers who shared their own responses to the event are Cloudflare, 1Password, and BeyondTrust.</div><div><br /></div><div>The attackers gained access to Okta’s customer support system by leveraging a service account stored in the system itself. The service account was granted permissions to view and update customer support cases. The security team at the company identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop.</div><div><br /></div><div>“The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.” continues the post.</div><div><br /></div><div>Okta disabled the compromised service account and blocked the use of personal Google profiles with Google Chrome on Okta-managed devices. The company also employed additional detection and monitoring rules for the customer support system and opted to bind Okta administrator session tokens based on network location (Complete).</div><div><br /></div><div>Okta this week warned nearly 5,000 employees that their personal information was exposed due to a data breach suffered by the third-party vendor Rightway Healthcare.</div><div><br /></div><div>In early September, Okta warned customers of social engineering attacks carried out in recent weeks by threat actors to obtain elevated administrator permissions. The attacks targeted IT service desk staff to trick them into resetting all multi-factor authentication (MFA) factors enrolled by highly privileged users. The company did not attribute the attack to a specific threat actor.</div><div><br /></div><div>In December 2022, the American identity and access management giant revealed that its private GitHub repositories were hacked.</div></div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-32025905226150333702023-11-05T05:25:00.001-08:002023-11-05T05:25:21.212-08:00US sanctions Russian accused of laundering virtual currency for ransomware affiliate<div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBumsnV7bW5dff-Wzp9ECCiS62vg9H1mi6CBRH68MEFOAK6BvtsguccrcOnaDjDN_z6YY-Ud5FIYCIUTAunOLksUQAHflkKY-JM3KFQms5G7NFY0nC638cBfAZluuH4lXczs1pLv9usFxUucsBcsVCPS_wfgLO4AcP4nvS73Y1kDgEdp4yc98F5FiUtsIo/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-11-05T190201.839.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBumsnV7bW5dff-Wzp9ECCiS62vg9H1mi6CBRH68MEFOAK6BvtsguccrcOnaDjDN_z6YY-Ud5FIYCIUTAunOLksUQAHflkKY-JM3KFQms5G7NFY0nC638cBfAZluuH4lXczs1pLv9usFxUucsBcsVCPS_wfgLO4AcP4nvS73Y1kDgEdp4yc98F5FiUtsIo/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-11-05T190201.839.png" width="320" /></a></div><br /> </div><div style="text-align: left;"><div>The Treasury Department on Friday sanctioned a Russian woman accused of laundering virtual currency on behalf of the country’s elites and cybercriminals, including an affiliate of Ryuk ransomware.</div><div><br /></div><div>According to the Office of Foreign Assets Control, Ekaterina Zhdanova worked to help other Russians evade sanctions imposed on the country’s financial system after the invasion of Ukraine. In one case, an unnamed oligarch approached Zhdanova about moving $100 million to the United Arab Emirates, OFAC said</div><div><br /></div><div>In 2021, she allegedly laundered more than $2.3 million of “suspected victim payments” for a Ryuk ransomware affiliate. She ran the funds through the Garantex cryptocurrency exchange, which was itself designated by OFAC in 2022.</div><div><br /></div><div>According to OFAC, more than $100 million in transactions associated with darknet markets and criminals were conducted on the exchange before it was sanctioned.</div><div><br /></div><div>“Through key facilitators like Zhdanova, Russian elites, ransomware groups, and other illicit actors sought to evade U.S. and international sanctions, particularly through the abuse of virtual currency,” said Undersecretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. The OFAC announcement does not offer details about Zhdanova’s professional background.</div><div><br /></div><div>Ryuk ransomware wreaked havoc for years after emerging in 2018. In 2020, amid Covid-19 lockdowns, federal law enforcement agencies warned that the healthcare sector was under attack from Ryuk. The month before, hospital chain Universal Health Services had been hit with a Ryuk attack that ultimately cost the company $67 million.</div><div><br /></div><div>In February, a Russian man pleaded guilty in an Oregon federal court to laundering funds for Ryuk over the course of three years. He was accused of being a middleman for the group alongside 13 unnamed co-conspirators.</div><div><br /></div><div>Sanctions against individuals like Zhdanova are often more symbolic than impactful, as Russians involved in illicit activity are unlikely to have property or business interests in the United States.</div></div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-48967648030249705672023-11-05T05:18:00.001-08:002023-11-05T05:18:57.266-08:00Singapore public health services hit by DDoS attacks<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1RG7eCZ-37nlmdhO4Imv0Ej_dvtyq6Gtl4VlCFvG6Hk2VeaEbcrmmaA9GKhtQR9H0mqDk3vgi2JgHU6xc3xprvkF2zWFU1_AvDoMtCtfLZg0g4_02hEYxGN8EaZV0jx5R6TEFlV6qxT6-KZj1ezLtyTmaXST8zhM1jEu-3SjEKoc8INDxGyAmtX2IbNnx/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-11-05T185512.763.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1RG7eCZ-37nlmdhO4Imv0Ej_dvtyq6Gtl4VlCFvG6Hk2VeaEbcrmmaA9GKhtQR9H0mqDk3vgi2JgHU6xc3xprvkF2zWFU1_AvDoMtCtfLZg0g4_02hEYxGN8EaZV0jx5R6TEFlV6qxT6-KZj1ezLtyTmaXST8zhM1jEu-3SjEKoc8INDxGyAmtX2IbNnx/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-11-05T185512.763.png" width="320" /></a></div><br /><div style="text-align: left;"><br /></div><div style="text-align: left;"> Hackers disrupted internet connectivity in public healthcare institutions in Singapore this week with distributed denial-of-service (DDoS) attacks, a health technology agency that oversees the institutions said.</div><div><br /></div><div>Synapxe, which manages operations of 46 public healthcare institutions in Singapore and around 1,400 community partners such as nursing homes and general practitioners, said there’s no evidence that public healthcare or patient data, as well as internal networks, have been compromised.</div><div><br /></div><div>Disruptions to internet connectivity affecting all public healthcare clusters in Singapore started on Wednesday and lasted for about seven hours.</div><div><br /></div><div>During that time, services like websites, emails, and productivity tools for staff were inaccessible. DDoS attacks flood websites with junk internet traffic to prevent legitimate users from accessing them.</div><div><br /></div><div>Users had reported errors when trying to access the websites of some public healthcare institutions, such as Singapore General Hospital, National University Hospital and Tan Tock Seng Hospital, according to local media.</div><div><br /></div><div>Synapxe said it was able to maintain the work of critical systems needed to provide clinical services at the public healthcare institutions, including access to patient records.</div><div><br /></div><div>According to the agency, the DDoS attacks on Singapore’s healthcare institutions are continuing, and occasional disruptions in internet services may still occur.</div><div><br /></div><div>“The public healthcare sector will take this opportunity to review our defenses against DDoS attacks, and learn from the episode to further strengthen our cybersecurity,” Synapxe said.</div><div><br /></div><div>It is not yet clear who is behind the attacks.</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-9012085552785168882023-10-31T07:25:00.000-07:002023-10-31T07:25:03.407-07:00Pro-Hamas Hacktivists Targeting Israeli Entities with Wiper Malware<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju5hf1p04rF12IPGVm8wwU6COhVrfzaoDFIWwkV5AIs5CBy85fLStsjdeHi1_do80JEQ7u1z-c6246tpXPSonM-MsRm25kqEqTEkdW_PvWnQ3aeOmoaHcSUg02twK8h1W2JqxJMrkM9RT7HLLaB9aSp3t0E5hHpd_eQxfsIzVOsKaLRkg_rXwbkd8Elq-O/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-31T200110.051.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju5hf1p04rF12IPGVm8wwU6COhVrfzaoDFIWwkV5AIs5CBy85fLStsjdeHi1_do80JEQ7u1z-c6246tpXPSonM-MsRm25kqEqTEkdW_PvWnQ3aeOmoaHcSUg02twK8h1W2JqxJMrkM9RT7HLLaB9aSp3t0E5hHpd_eQxfsIzVOsKaLRkg_rXwbkd8Elq-O/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-31T200110.051.png" width="320" /></a></div><br /><div style="text-align: left;"><br /></div><div style="text-align: left;"> A pro-Hamas hacktivist group has been observed using a new Linux-based wiper malware dubbed BiBi-Linux Wiper, targeting Israeli entities amidst the ongoing Israeli-Hamas war.</div><div><br /></div><div>"This malware is an x64 ELF executable, lacking obfuscation or protective measures," Security Joes said in a new report published today. "It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions."</div><div><br /></div><div>Some of its other capabilities include multithreading to corrupt files concurrently to enhance its speed and reach, overwriting files, renaming them with an extension containing the hard-coded string "BiBi" (in the format "[RANDOM_NAME].BiBi[NUMBER]"), and excluding certain file types from being corrupted.</div><div><br /></div><div>"While the string 'bibi' (in the filename), may appear random, it holds significant meaning when mixed with topics such as politics in the Middle East, as it is a common nickname used for the Israeli Prime Minister, Benjamin Netanyahu," the cybersecurity company added.</div><div><br /></div><div>The destructive malware, coded in C/C++ and carrying a file size of 1.2 MB, allows the threat actor to specify target folders via command-line parameters, by default opting for the root directory ("/") if no path is provided. However, performing the action at this level requires root permissions.</div><div><br /></div><div>Another notable aspect of BiBi-Linux Wiper is its use of the nohup command during execution so as to run it unimpeded in the background. Some of the file types that are skipped from being overwritten are those with the extensions .out or .so.</div><div><br /></div><div>"This is because the threat relies on files such as bibi-linux.out and nohup.out for its operation, along with shared libraries essential to the Unix/Linux OS (.so files)," the company said.</div><div><br /></div><div>The development comes as Sekoia revealed that the suspected Hamas-affiliated threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, Gaza Cyber Gang, and Molerats) is likely organized as two sub-groups, with each cluster focused on cyber espionage activities against Israel and Palestine, respectively.</div><div><br /></div><div>"Targeting individuals is a common practice of Arid Viper," SentinelOne researchers Tom Hegel and Aleksandar Milenkoski said in an analysis released last week.</div><div><br /></div><div>Cybersecurity</div><div>"This includes pre-selected Palestinian and Israeli high-profile targets as well as broader groups, typically from critical sectors such as defense and government organizations, law enforcement, and political parties or movements."</div><div><br /></div><div>Attack chains orchestrated by the group include social engineering and phishing attacks as initial intrusion vectors to deploy a wide variety of custom malware to spy on its victims. This comprises Micropsia, PyMicropsia, Arid Gopher, and BarbWire, and a new undocumented backdoor called Rusty Viper that's written in Rust.</div><div><br /></div><div>"Collectively, Arid Viper's arsenal provides diverse spying capabilities such as recording audio with the microphone, detecting inserted flash drives and exfiltrating files from them, and stealing saved browser credentials, to name just a few," ESET noted earlier this month.</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-80801012202923593722023-10-31T07:17:00.000-07:002023-10-31T07:17:02.948-07:00Apple Improves iMessage Security With Contact Key Verification<h1 style="text-align: left;">Apple on Friday introduced contact key verification, a new capability meant to improve the security of its iMessage service.</h1><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBFuj0w0UQyfZR_aDnUb3Y7b3_tzukUKHO1bzPJrFBBNEnJuSQpA6qpJyivYZSLSgUTmyIFKxNpFaFm2SJm8FABB_Sluttc3Q8_-8ggspOgqZqwA464pXKS_KoK0gcRYHXxXnlNFsaRw1gTFpv1rPK2tfBKNk5NOJNGA5fPpIYBvqol1l4EVu1519LplSX/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-31T195228.855.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBFuj0w0UQyfZR_aDnUb3Y7b3_tzukUKHO1bzPJrFBBNEnJuSQpA6qpJyivYZSLSgUTmyIFKxNpFaFm2SJm8FABB_Sluttc3Q8_-8ggspOgqZqwA464pXKS_KoK0gcRYHXxXnlNFsaRw1gTFpv1rPK2tfBKNk5NOJNGA5fPpIYBvqol1l4EVu1519LplSX/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-31T195228.855.png" width="320" /></a></div><br /><div style="text-align: left;"><br /></div><div style="text-align: left;"> To ensure the privacy of conversations, iMessage offers end-to-end encryption, so that only the sender and receiver can read a message, and relies on sets of encryption keys, where public keys are stored on a key directory service, while private keys rest on the device and never leave it.</div><div><br /></div><div>Key directory services, like Apple’s identity directory service, represent a single point of failure, where a powerful adversary may be able to compromise the service to intercept or monitor encrypted messages.</div><div><br /></div><div>To address the shortcoming, iMessage contact key verification, Apple explains, relies on key transparency, a mechanism that uses a verifiable log-backed map data structure to deliver cryptographic proofs of inclusion, ensuring user privacy and allowing audits.</div><div><br /></div><div>“iMessage contact key verification advances the state of the art of key transparency deployments by having user devices themselves verify consistency proofs and ensure consistency of the KT system across all user devices for an account,” Apple says.</div><div><br /></div><div>This mechanism, the tech giant notes, is meant to protect against both key directory and transparency service compromises, allowing changes to the log-backed map while making device keys immediately verifiable.</div><div><br /></div><div>iMessage contact key verification, Apple explains, uses an account-level elliptic curve digital signature algorithm (ECDSA) signing key that is generated on the device, stored in iCloud keychain, and available to the user on their trusted devices only.</div><div><br /></div><div>Secure OT Operations With Zero Trust</div><div>“Each device uses the synchronized account key to sign its iMessage public keys. The account keys and signatures are included in the IDS service database along with the existing data,” Apple notes.</div><div><br /></div><div>When the user enables iMessage contact key verification, their devices verify that the key transparency map includes the data presented by the identity directory service, and notifies the user if a validation error occurs.</div><div><br /></div><div>Users’ devices will periodically query the service for account information, verify the response against the key transparency mechanism, and flag inconsistencies.</div><div><br /></div><div>“[The user’s] devices will additionally compare the KT data for identifiers, device records, and opt-in state against records stored in an end-to-end encrypted CloudKit container. This database is maintained by [the user’s] devices and is not readable or modifiable by Apple,” the tech giant explains.</div><div><br /></div><div>Additionally, iMessage contact key verification allows users to perform manual contact verification code comparisons using the Vaudenay SAS protocol. Upon successful verification, the hash of the peer’s account key is saved to an end-to-end encrypted CloudKit container and linked to the peer’s card.</div><div><br /></div><div>“Because the contact card is linked, all conversations with the peer’s identifiers — phone number and email address — are marked as verified. Group chats with peers that have been independently verified one-to-one are also automatically marked as verified,” Apple explains.</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-30596578055266060542023-10-31T07:09:00.001-07:002023-10-31T07:09:06.047-07:00Crypto thief steals $4.4M in a day as toll rises from LastPass breach<h1 style="text-align: left;">Estimates in September revealed that at least $35 million in crypto has been stolen from victims of the LastPass breach since 2022, with the latest hack adding to the toll.</h1><div style="text-align: left;"> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge7HhxqhMs4WCe8dahBLx62WPyeespEW0dQJHJ1BUG4aVQ3FNKef6i-Pdu-jfwsEX6YwdAzMBIhF_HqfZ8XvBc9QlZlboxSrU6ktmaXMSSNTNoSCkgxm89TyGnAE0yQdMhWZjmaXSucI-yGSqlXEk6i2fPQ-q7AnreJJrCrmOhVMDTFlWScYLP5I80iNeu/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-31T194514.496.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge7HhxqhMs4WCe8dahBLx62WPyeespEW0dQJHJ1BUG4aVQ3FNKef6i-Pdu-jfwsEX6YwdAzMBIhF_HqfZ8XvBc9QlZlboxSrU6ktmaXMSSNTNoSCkgxm89TyGnAE0yQdMhWZjmaXSucI-yGSqlXEk6i2fPQ-q7AnreJJrCrmOhVMDTFlWScYLP5I80iNeu/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-31T194514.496.png" width="320" /></a></div><br /></div><div style="text-align: left;">At least 25 people have reportedly seen $4.4 million in crypto drained from across 80 wallets due to a 2022 data breach that impacted password storage software LastPass.</div><div><br /></div><div>In an Oct. 27 X (Twitter) post, pseudonymous on-chain researcher ZachXBT said he and MetaMask developer Taylor Monahan tracked the fund movements of at least 80 wallets compromised on Oct. 25.</div><div><br /></div><div>“Most, if not all, of the victims are longtime LastPass users and/or confirm having stored their [crypto wallet] keys/seeds in LastPass,” Monahan said in an accompanying Chainabuse report.</div><div><br /></div><div>In December 2022, LastPass disclosed that an attacker leveraged information previously stolen in a breach in August to target a LastPass employee, snagging their credentials and decrypting stored customer information.</div><div><br /></div><div><span style="background-color: white; font-family: "Open Sans", -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;">Also stolen was a backup of encrypted customer vault data, which LastPass warned could be decrypted if the attacker brute force guesses the account’s master password.</span></div><div><span style="background-color: white; font-family: "Open Sans", -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;"><br /></span></div><div><span style="background-color: white;"><span style="font-family: Open Sans, -apple-system, BlinkMacSystemFont, Segoe UI, Roboto, Helvetica, Arial, sans-serif;"><div>In a September blog post, cybersecurity journalist Brian Krebs reported that some of the LastPass customer vaults had seemingly been cracked and over $35 million worth of crypto had been stolen from around 150 victims.</div><div><br /></div><div>In January, LastPass was hit with a class-action suit from individuals claiming the August 2022 breach resulted in the theft of around $53,000 worth of Bitcoin </div><div>BTC</div><div><br /></div><div>tickers down</div><div>$34,216</div><div><br /></div><div>.</div><div><br /></div><div>In his latest X post, ZachXBT advised anyone who ever stored a wallet seed or private key in LastPass to “migrate your crypto assets immediately.”</div></span></span></div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-76920754614547625602023-10-31T06:59:00.001-07:002023-10-31T06:59:58.329-07:00Meta Launches Paid Ad-Free Subscription in Europe to Satisfy Privacy Laws<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXcip3xDOP4gA99g2B7k7j4kRPIx1bK74vQPCiP2WJ52RxuRxwIutZO6bRdb09Bw_P4moeonQxa5LqO76GpkoPreLbEGCdU1KF3V9smTsrpVMwExR5KTAc9dPer9QtlX5n_BF3AUh2xwkz8qh0HC18GGBWWWPEIdKNFZ5MCvNI19GT2KU9sBh6oEw3eDbR/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-31T193517.579.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXcip3xDOP4gA99g2B7k7j4kRPIx1bK74vQPCiP2WJ52RxuRxwIutZO6bRdb09Bw_P4moeonQxa5LqO76GpkoPreLbEGCdU1KF3V9smTsrpVMwExR5KTAc9dPer9QtlX5n_BF3AUh2xwkz8qh0HC18GGBWWWPEIdKNFZ5MCvNI19GT2KU9sBh6oEw3eDbR/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-31T193517.579.png" width="320" /></a></div><br /><div style="text-align: left;"><br /></div><div style="text-align: left;"> Meta on Monday announced plans to offer an ad-free option to access Facebook and Instagram for users in the European Union (EU), European Economic Area (EEA), and Switzerland to comply with "evolving" data protection regulations in the region.</div><div><br /></div><div>The ad-free subscription, which costs €9.99/month on the web or €12.99/month on iOS and Android, is expected to be officially available starting next month. The company's proposal for a subscription version of its service was first reported by The Wall Street Journal earlier this month.</div><div><br /></div><div>"In November, we will be offering people who use Facebook or Instagram and reside in these regions the choice to continue using these personalized services for free with ads, or subscribe to stop seeing ads," the company said.</div><div><br /></div><div>"While people are subscribed, their information will not be used for ads."</div><div><br /></div><div>While the fee covers all linked accounts for a user, beginning March 1, 2024, the company plans to levy an additional fee — of €6/month on web and €8/month on iOS or Android — for each additional account listed in a user's Account Center.</div><div><br /></div><div>The concession comes after the tech giant was slapped with a €390 million fine in January, related to breaches of Europe's flagship privacy law, the General Data Protection Regulation.</div><div><br /></div><div>Specifically, the Irish Data Protection Commission (DPC) found that in order for users to access Meta's digital real estate, they had no choice but to accept the terms of service and therefore consent to allow targeted advertising based on their online activity.</div><div><br /></div><div>In August 2023, Meta said it intends to switch to a consent-based approach, giving users a choice to deny its behavioral advertising practices.</div><div><br /></div><div><br /></div><div>Meta also pointed out that its subscription model is a "valid form of consent for an ads funded service," citing a July ruling from the Court of Justice of the European Union (CJEU), which stated that online platforms can offer an equivalent alternative "for an appropriate fee" that's "not accompanied by such data processing operations."</div><div><br /></div><div>Coinciding with the development, Meta said it will also temporarily pause showing any ads to users aged under 18 in areas where the ad-free subscription is available, starting November 6, 2023.</div><div><br /></div><div>"The option for people to purchase a subscription for no ads balances the requirements of European regulators while giving users choice and allowing Meta to continue serving all people in the EU, EEA and Switzerland," the company added.</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-32222015176255783852023-10-31T06:54:00.001-07:002023-10-31T06:54:30.402-07:00Five Guys discloses hack of 2 employees’ emails<div class="article-title-wrapper" style="background-color: white; box-sizing: inherit; margin-bottom: 1.125rem; padding: 0px;"><h1 style="box-sizing: inherit; line-height: 1.6; margin: 0.5rem 0px 0px;"><span style="color: #0a0a0a; font-family: source serif 4, serif; font-size: x-large;">The disclosure comes weeks after the company agreed to settle a federal class action suit stemming from a 2022 attack.</span></h1><div><span style="color: #0a0a0a;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqFXc34m46g8uyHlZKj5PA55tdGVHO_2ETGRsdOH3GOkhXBQ4Fw4gSHwaIvjPmjWsHwNAMAvFIx9XsLJBHOGmY_5qlaqlMIirOmRmv6HLA2fWh6q-Vip98oYegg8p_C_xFDnvoLXL3_evoVxZ8zV3hRJTouPNAgi8sgPRMcf9QewwzOFisas6fwKIAIHGr/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-31T193054.717.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqFXc34m46g8uyHlZKj5PA55tdGVHO_2ETGRsdOH3GOkhXBQ4Fw4gSHwaIvjPmjWsHwNAMAvFIx9XsLJBHOGmY_5qlaqlMIirOmRmv6HLA2fWh6q-Vip98oYegg8p_C_xFDnvoLXL3_evoVxZ8zV3hRJTouPNAgi8sgPRMcf9QewwzOFisas6fwKIAIHGr/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-31T193054.717.png" width="320" /></a></div><br /><div><br /></div><div>Five Guys disclosed a security breach where hackers gained access to the email accounts of two employees, according to consumer disclosure letters filed Friday with the attorneys general of California and Maine. </div><div><br /></div><div>The breaches, discovered on June 7, were the result of business email compromise, Sam Chamberlain, COO of Five Guys, said in the filing with the Office of the Maine Attorney General. The Lorton, Va.-based hamburger chain, which has about 1,700 locations worldwide, did not indicate how many total individuals were impacted, but only three Maine residents were affected. </div><div><br /></div><div>Cybersecurity Dive logo</div><div>Position yourself as a thought leader to cybersecurity decision-makers. Cybersecurity Dive, your target market all in one place.</div><div>Download Media Kit</div><div>The breach disclosure comes just weeks after Five Guys agreed to settle a federal class action lawsuit involving a September 2022 incident. In that breach, files linked to the company employment process were impacted, affecting more 37,000 individuals, according to records filed in Maine.</div><div><br /></div><div>BlackCat/AlphV in February claimed credit for attacking Five Guys, according to a February post on X, by security researcher Dominic Alvieri.</div><div><br /></div><div>Social Security numbers of three Maine residents were accessed as part of the incident, according to the Maine filing.</div><div><br /></div><div>In the most recent incident, one employee account was accessed between March 20 and March 31, while the second email account was accessed between May 31 and June 7, according to breach notifications. </div><div><br /></div><div>Both accounts had multifactor authentication enabled and Five Guys immediately enacted its incident response plans, took steps to secure the accounts and retained an outside cybersecurity firm with experience handling similar incidents. </div><div><br /></div><div>Chamberlain apologized in the letter and said the company had taken additional measures to prevent a similar incident.</div><div><br /></div><div>A spokesperson for Five Guys was not immediately available. An attorney for BakerHostetler, listed as outside counsel for Five Guys, was not immediately available.</div></span></div><h1 style="box-sizing: inherit; line-height: 1.6; margin: 0.5rem 0px 0px;"><span style="color: #0a0a0a; font-family: source serif 4, serif;"><span style="font-size: 20px;"><br /></span></span></h1><h1 style="box-sizing: inherit; line-height: 1.6; margin: 0.5rem 0px 0px;"><span style="color: #0a0a0a; font-family: source serif 4, serif;"><span style="font-size: 20px;"><br /></span></span></h1><h1 style="box-sizing: inherit; color: #0a0a0a; font-family: "source serif 4", serif; font-size: 1.25rem; line-height: 1.6; margin: 0.5rem 0px 0px;"><br /></h1></div><div class="byline" style="background-color: white; box-sizing: inherit; color: #0a0a0a; font-family: satoshi, Helvetica, Arial, sans-serif; font-size: 16px;"><div class="article-byline" style="box-sizing: inherit; font-size: 1rem; line-height: 1.4; padding-bottom: 2rem;"></div></div><h1 style="text-align: left;"> </h1>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-62821746788355670362023-10-31T06:49:00.001-07:002023-10-31T06:49:46.086-07:00Report Links ChatGPT to 1265% Rise in Phishing Emails<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHY2xC3fQJwcm5zpugZd4xc2O-smHnJrwvOx23BMGlq-MQV5evUB57232afFKZWlMmiYl1bbNG1TGjuikVJWj2BS2ZwJ4BS8JSjpI04bKz1YfNlsp2jUBRocsrglHJOozVZxJOqsQ_f4_Kwil46JJFxDEIu5jQ4cDUVGu94Gl47kFMQfjriDJeWisE6Wdb/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-31T192612.965.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHY2xC3fQJwcm5zpugZd4xc2O-smHnJrwvOx23BMGlq-MQV5evUB57232afFKZWlMmiYl1bbNG1TGjuikVJWj2BS2ZwJ4BS8JSjpI04bKz1YfNlsp2jUBRocsrglHJOozVZxJOqsQ_f4_Kwil46JJFxDEIu5jQ4cDUVGu94Gl47kFMQfjriDJeWisE6Wdb/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-31T192612.965.png" width="320" /></a></div><br /><div style="text-align: left;"><br /></div><div style="text-align: left;"> The SlashNext State of Phishing Report 2023 has unveiled a concerning trend in the cybersecurity landscape, revealing a 1265% surge in malicious phishing emails since Q4 2022.</div><div><br /></div><div>The annual report, compiled by SlashNext Threat Labs, encompasses an analysis of threats observed across email, mobile and browser channels over 12 months, from Q4 2022 to Q3 2023. The report also emphasized a noteworthy 967% increase in credential phishing attacks.</div><div><br /></div><div>Patrick Harr, CEO of SlashNext, has attributed these figures to the growing role of generative AI.</div><div><br /></div><div>“We know from our research that threat actors are leveraging tools like ChatGPT to help write sophisticated, targeted Business Email Compromise (BEC) and other phishing messages, and an increase in the volume of these threats of over 1,000% corresponding with the time frame in which ChatGPT was launched is not a coincidence,” the executive said.</div><div><br /></div><div>“Our aim is not to overstate or exaggerate the threats stemming from generative AI, but to help our customers and the cybersecurity community at large understand the true dangers and respond appropriately.”</div><div><br /></div><div>Other key findings include an average of 31,000 daily phishing attacks, with 68% of these identified as text-based BEC. The research, inclusive of a survey involving over 300 cybersecurity professionals, indicates that 46% of respondents have encountered BEC attacks. </div><div><br /></div><div>Furthermore, 77% of these professionals have been the subject of phishing attempts, with 28% of those attacks being delivered through text messages. Mobile-based attacks include a notable 39% classified as SMS phishing (Smishing).</div><div><br /></div><div>The report emphasized the evolution of the threat landscape, specifically highlighting the growing significance of mobile-based and multi-stage attacks. It underscores the urgency for organizations to adopt comprehensive protective measures, with an increasing reliance on AI-driven solutions to counter the proliferation of AI-fueled cyber-threats.</div><div><br /></div><div>“The threat landscape is shifting incredibly fast now with the introduction of AI to the game,” commented Mika Aalto, co-founder and CEO at Hoxhunt. “But the good news is that AI can also be used to defend against sophisticated attacks, and we’ve seen that good training continues to have a protective effect against AI-generated threats.”</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-37969640186692356912023-10-29T08:10:00.001-07:002023-10-29T08:10:51.684-07:00Humans Need to Rethink Trust in the Wake of Generative AI<div style="text-align: left;"> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7fZ0iyjD-PlRBaVo7IRZ0A9rDp35T_b4jI79d6eD6x0jnUhiqBlnYpGhgbP9mlf_nIW56_G8E7Gl5ypSK_tOWqyu4oAhAcHKrWSveNL5noSyUfmiTHEheNQiGjiozvBZDXKPn-HZsFQdip_P5d11wVuSNKa3qa-V4d_zgbYs2CTaJa3CxTSX2bifvpSDP/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-29T204717.584.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7fZ0iyjD-PlRBaVo7IRZ0A9rDp35T_b4jI79d6eD6x0jnUhiqBlnYpGhgbP9mlf_nIW56_G8E7Gl5ypSK_tOWqyu4oAhAcHKrWSveNL5noSyUfmiTHEheNQiGjiozvBZDXKPn-HZsFQdip_P5d11wVuSNKa3qa-V4d_zgbYs2CTaJa3CxTSX2bifvpSDP/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-29T204717.584.png" width="320" /></a></div><br /></div><div style="text-align: left;">As generative AI rapidly evolves, one of the biggest risks that is being discussed is the potential for the technology to be used to generate disinformation and misinformation. This means that humans need to rethink how and what we trust.</div><div><br /></div><div>Of 2300 digital trust professionals surveyed by ISACA in its Generative AI Survey, 77% said the top risk posed by generative AI today is misinformation and disinformation.</div><div><br /></div><div>The top five concerns surrounding Generative AI were:</div><div><br /></div><div><ol style="text-align: left;"><li>Disinformation/misinformation (77%)</li><li>Privacy violations (68%)</li><li>Social engineering (63%)</li><li>Loss of intellectual property (58%)</li><li>Job displacement (35%)</li></ol></div><div>Deepfakes, used to spread dis- and misinformation, are used to alter a person’s likeness in a photo or video clip, generating entirely new content that appears quite realistic.</div><div><br /></div><div>Communicating via video or audio is a much faster way to get information across than text and there is a risk that AI-generated video and voice communications will spread content that is untruthful or is used to trick victims into taking actions.</div><div><br /></div><div>Chris Dimitriadis, Global Chief Strategy Officer at ISACA, said during the association’s Digital Trust Summit in Dublin, Ireland: “Pictures are worth a thousand words, and we’re not trained to question what we see. We’re only trained to question what were hear or read so this is a new advent for the human race, to question what we see as being legitimate or not.”</div><div><br /></div><div>In Summer 2023, UK TV personality and financial expert, Martin Lewis, spoke out about a deepfake likeness of himself promoting an investment scam was published on Facebook.</div><div><br /></div><div>Meanwhile, a recent study by the University College London found that humans are unable to detect deepfake speech 27% of the time.</div><div><br /></div><div>Learning to Trust Again</div><div>Speaking to Infosecurity, Enrique Perez, strategic communication specialist with NATO, said: “The problem is you cannot believe anything any more even though you are seeing and hearing it. It is a trust issue, and we have to learn to trust again.”</div><div><br /></div><div>Perez called on organizations to work together to combat today’s evolving cybersecurity challenges.</div><div><br /></div><div>“Nobody can act alone, we need each other, and the sharing of information is needed,” he said.</div><div><br /></div><div>Out of the 334 business and IT professionals working in Europe surveyed, 99% say they are worried, to some extent, about the potential exploitation of generative AI by bad actors. Furthermore, 74% believe that cybercriminals are harnessing AI with equal or even greater success than digital trust professionals.</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-21029684847756389412023-10-29T08:00:00.000-07:002023-10-29T08:00:03.914-07:00California city warns of data breach after ransomware attack claims<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkWExqex6M5v3BQroePENa4Jgurz6qCwThzaMhiBWfeBqoLWWf5VElh7mjRRWlpn6y_3q-pDd2aOU87XmG6l_QQAA3fjI7MbnXHzu35acGeG2tToaClV1bAj8hlSEvkjW9-R71p6gv155kK_kZfVjLPPjYGEOyYZJiTe16sNh0llsYLc3x50LTWzt5Us_T/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-29T203556.354.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkWExqex6M5v3BQroePENa4Jgurz6qCwThzaMhiBWfeBqoLWWf5VElh7mjRRWlpn6y_3q-pDd2aOU87XmG6l_QQAA3fjI7MbnXHzu35acGeG2tToaClV1bAj8hlSEvkjW9-R71p6gv155kK_kZfVjLPPjYGEOyYZJiTe16sNh0llsYLc3x50LTWzt5Us_T/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-29T203556.354.png" width="320" /></a></div><br /><div style="text-align: left;"><br /></div><div style="text-align: left;"> A city in California warned residents this week that their data was accessed by hackers who were in government systems for more than a month.</div><div><br /></div><div>Officials in Victorville — a city of about 135,000 residents two hours northeast from Los Angeles — sent out breach notification letters to people warning that hackers were in their systems from August 12 to September 26.</div><div><br /></div><div>“We reviewed the files that were accessed and determined that one or more file(s) contained your name and one or more of the following: Social Security number; driver’s license number or state identification card number; medical information, and health insurance policy number,” the city said.</div><div><br /></div><div>They are offering victims one year of identity protection services. City officials did not respond to requests for comment about the specifics of the incident, but on September 25, they wrote on Facebook that they were dealing with outages affecting phone and website systems.</div><div><br /></div><div>“This impacts our online bill pay site and online form submittals. No late fees or utility shutoffs will be assessed while the system is down. We apologize for the inconvenience as we work to resolve these issues. If you need assistance, we have set up a number of temporary service lines to receive all inquiries,” they said, urging city residents to pay bills in person if possible.</div><div><br /></div><div>The city said it was able to restore phone and website services on October 3 but that web-based systems were still not functioning. They never provided another update on the situation.</div><div><br /></div><div>On Tuesday, the NoEscape ransomware gang added the city to its list of victims, claiming it stole 200GB of data from government systems.</div><div><br /></div><div>Victorville is located in San Bernardino County, which dealt with its own ransomware attack in April.</div><div><br /></div><div><br /></div><div>The attack on Victorville is the latest in a spate of attacks targeting cities across California this year. Oakland, San Francisco, El Cerrito, Modesto and Hayward have all dealt with devastating ransomware attacks that limited government services for weeks and caused a range of issues for local residents.</div><div><br /></div><div>The NoEscape ransomware gang emerged in May and has pulled off a series of high-profile attacks on prominent institutions. Last month the group attacked the organization tasked with managing the lake and river systems along the border between the U.S. and Canada.</div><div><br /></div><div>NoEscape hackers have taken credit for attacks on Germany’s bar association and Hawaiʻi Community College as well as Australian companies, a hospital in Belgium, a manufacturing company in the US and another manufacturing company in the Netherlands.</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-3592994493130488312023-10-29T07:37:00.001-07:002023-10-29T07:37:09.455-07:00US Senator Quizzes 23andMe Over Credential-Stuffing Hack<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgunqCyZKFxxcRcHGehUj2JL6biP5UEDP2i6CjsZmiCOZy1rxXlfl_0Fw8jA3Ke-gC6V50r4irhxJQuK-Epmov7wj4EtUZ94fHqLn3J6m99026eGQ_F5gWsXI9NvvfTl1uyz0aHWzYbvbE9Ho7rG_rWYtbAEMkeKJcGrZrB6iAItghtKBAEy998OcZMTddJ/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-29T201342.326.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgunqCyZKFxxcRcHGehUj2JL6biP5UEDP2i6CjsZmiCOZy1rxXlfl_0Fw8jA3Ke-gC6V50r4irhxJQuK-Epmov7wj4EtUZ94fHqLn3J6m99026eGQ_F5gWsXI9NvvfTl1uyz0aHWzYbvbE9Ho7rG_rWYtbAEMkeKJcGrZrB6iAItghtKBAEy998OcZMTddJ/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-29T201342.326.png" width="320" /></a></div><br /><div style="text-align: left;"><br /></div><div style="text-align: left;"> Genetics testing firm 23andme is facing intensifying scrutiny in the wake of a credential-stuffing hacking incident that leaked genetic ancestry information of potentially millions of customers. The company has been hit by at least 16 proposed U.S. federal class action lawsuits, and it has until Nov. 3 to respond to an inquiry by a high-ranking U.S. senator.</div><div><br /></div><div><br /></div><div>The proposed class action lawsuits seek monetary damages as well as an injunctive order for the California-based company - which has 14 million customers - to improve its data security practices.</div><div><br /></div><div>Meanwhile, Sen. Bill Richards, R-La., ranking member of the Senate committee on health, education, labor and pensions and one of four physicians currently serving in the Senate, in an Oct. 20 letter grilled 23andMe CEO Anne Wojcicki, requesting her to respond by Nov. 3 to answer about a dozen questions about the breach and the company's data protection practices.</div><div><br /></div><div>"What search tools and algorithms does 23andMe use to allow large-scale downloads of user data based on specific demographics? How did hackers compile such a comprehensive list of impacted users to the dark web?" the senator asked.</div><div><br /></div><div>"How was mass user data, allegedly hundreds of personal accounts per compromised user account, obtained by access to a few individual accounts?" he asked.</div><div><br /></div><div>Threat actors earlier this month on the dark web claimed to have stolen "20 million pieces of code" from 23andMe. So far, leaked data that was put up for sale pertains to 23andMe users with certain DNA ancestry backgrounds, including 1 million lines of code about people with Ashkenazi Jewish DNA ancestry, 300,000 individuals with Chinese heritage, and in the latest leak reported by Bleeping Computer, 4.1 million genetic profiles for people in Great Britain and Germany.</div><div><br /></div><div>23andMe earlier this month confirmed that it was investigating a credential-stuffing incident involving information scraped off the profiles of 23andMe users who opted in to using the company's DNA Relatives feature. DNA Relatives connects 23andMe users with genetic distant relatives - or other 23andMe users who share bits of DNA (see: 23andMe Investigation Apparent Credential Stuffing Hack).</div><div><br /></div><div>23andMe in a statement to Information Security Media Group on Thursday declined to comment on the lawsuits and Cassidy's letter. The company also still maintained to ISMG its earlier position - as also reported to the U.S. Securities and Exchange Commission and relayed to customers in an Oct. 8 notice - that 23andMe "does not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks."</div><div><br /></div><div>The proposed class action lawsuits so far - all filed in the same Northern California federal court between Oct. 9 and Oct. 24 - allege similar claims, including that highly sensitive information entrusted to 23andMe by the plaintiffs and millions of class member customers are in the hands of cybercriminals, putting them at risk for identity theft and fraud crimes due to the company's negligence in failing to protect the highly personal data.</div><div><br /></div><div>Some of the lawsuits also allege that the incident puts individuals at risk for discrimination and hate crimes because of leaked information about their genetic ancestry.</div><div><br /></div><div>"Given the fact that this breach specifically targeted those with Ashkenazi Jewish ancestry and in a climate of rising anti-Semitism, that anxiety and the compromised privacy are even more acute," alleges the lawsuit complaint filed on Oct. 19 by lead plaintiff David Tulchinsky.</div><div><br /></div><div><b>Are Passwords the Problem?</b></div><div>Privacy attorney Adam Greene, who is not involved in the 23andMe case, said the proposed class actions against 23andMe most likely will be resolved through settlements rather than court decisions.</div><div><br /></div><div>But in the course of the litigation and fallout, the incident shines a spotlight on several critical issues involving the 23andMe incident and similar hacks.</div><div><br /></div><div>"I think that this incident raises an important legal question for a court to resolve that strikes at the heart of our current password ecosystem," he said.</div><div><br /></div><div>"Is it reasonable for technology companies to rely on passwords alone when authenticating individuals? Or do technology companies have to build their security around the assumption that consumers will recycle passwords and such passwords will become compromised over time?" said Greene of the law firm Davis Wright Tremaine.</div><div><br /></div><div>"The answer to this question could have a profound impact on how logins across the Internet works."</div><div><br /></div><div><b>Financial Impact to be Determined</b></div><div>23andMe in an Oct. 11 filing with the SEC said the company is still discerning the implications of the incident. "At this time, 23andMe is unable to predict the costs and magnitude of those consequences," the company told the SEC.</div><div><br /></div><div>The firm said it has retained third-party forensic experts to assist in an investigation of the cause and scope of the incident, and in mitigating and remediating the impact.</div><div><br /></div><div>"23andMe is fully cooperating with federal law enforcement in relation to this incident. 23andMe is currently working to confirm the scope of data accessed, and is investigating the nature of the personal data in question and any related legal obligations," the company told the SEC.</div><div><br /></div><div>For the 2023 fiscal year ended March 30, 23andMe reported net revenue of $299 million and a net loss of $312 million. The company attributed the net loss to an increase in operating expenses compared with the prior year, including increased headcount and salaries related in part to the $400 million acquisition in 2021 of a telemedicine business, Lemonaid Health.</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-78259939225522000442023-10-29T07:30:00.001-07:002023-10-29T07:30:16.038-07:00StripedFly malware framework infects 1 million Windows, Linux hosts<div style="text-align: left;"> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXD6Y0pitrLMGO_YRphzvbb79wMiW7bGgDLSUNMQfVzHsZ4HZhQFK93vzcbaqQ6Cy-OkaB7Grl2M94canv-S9XPZQ6tWNtWe3piUKwVfIa4eeZPenI9IDeYi1oHw64gsEGwrlHj_seiPY3RZqdyYVkpPPAjCJ2Gx-dBqqbX5nS4_-mrTUBsJSU6xICg8Gx/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-29T200641.432.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXD6Y0pitrLMGO_YRphzvbb79wMiW7bGgDLSUNMQfVzHsZ4HZhQFK93vzcbaqQ6Cy-OkaB7Grl2M94canv-S9XPZQ6tWNtWe3piUKwVfIa4eeZPenI9IDeYi1oHw64gsEGwrlHj_seiPY3RZqdyYVkpPPAjCJ2Gx-dBqqbX5nS4_-mrTUBsJSU6xICg8Gx/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-29T200641.432.png" width="320" /></a></div><br /></div><div style="text-align: left;">A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time.</div><div><br /></div><div>Kaspersky discovered the true nature of the malicious framework last year, finding evidence of its activity starting in 2017, with the malware wrongly classified as just a Monero cryptocurrency miner.</div><div><br /></div><div>The analysts describe StripedFly as nothing short of impressive, featuring sophisticated TOR-based traffic concealing mechanisms, automated updating from trusted platforms, worm-like spreading capabilities, and a custom EternalBlue SMBv1 exploit created before the public disclosure of the flaw.</div><div><br /></div><div>While it's unclear if this malware framework was utilized for revenue generation or cyber espionage, Kaspersky says its sophistication indicates that this is an APT (advanced persistent threat) malware.</div><div><br /></div><div>Based on the compiler timestamp for the malware, the earliest known version of StripedFly featuring an EternalBlue exploit dates April 2016, while the public leak by the Shadow Brokers group occurred in August 2016.</div><div><br /></div><div>StripedFly in over a million systems</div><div>The StripedFly malware framework was first discovered after Kaspersky found the platform's shellcode injected in the WININIT.EXE process, a legitimate Windows OS process that handles the initialization of various subsystems.</div><div><br /></div><div>After investigating the injected code, they determined it downloads and executes additional files, such as PowerShell scripts, from legitimate hosting services like Bitbucket, GitHub, and GitLab, including PowerShell scripts.</div><div><br /></div><div>Further investigation showed that infected devices were likely first breached using a custom EternalBlue SMBv1 exploit that targeted internet-exposed computers.</div><div><br /></div><div>The final StripedFly payload (system.img) features a custom lightweight TOR network client to protect its network communications from interception, the ability to disable the SMBv1 protocol, and spread to other Windows and Linux devices on the network using SSH and EternalBlue.</div><div><br /></div><div>The malware's command and control (C2) server is on the TOR network, and communication with it involves frequent beacon messages containing the victim's unique ID.</div><div><br /></div><div>For persistence on Windows systems, StripedFly adjusts its behavior based on the level of privileges it runs on and the presence of PowerShell.</div><div><br /></div><div>Without PowerShell, it generates a hidden file in the %APPDATA% directory. In cases where PowerShell is available, it executes scripts for creating scheduled tasks or modifying Windows Registry keys.</div><div><br /></div><div>On Linux, the malware assumes the name 'sd-pam'. It achieves persistence using systemd services, an autostarting .desktop file, or by modifying various profile and startup files, such as /etc/rc*, profile, bashrc, or inittab files.</div><div><br /></div><div>The Bitbucket repository delivering the final stage payload on Windows systems indicates that between April 2023 and September 2023, there have been nearly 60,000 system infections.</div><div><br /></div><div>It is estimated that StripedFly has infected at least 220,000 Windows systems since February 2022, but stats from before that date are unavailable, and the repository was created in 2018.</div><div><br /></div><div>However, Kaspersky estimates that over 1 million devices were infected by the StripedFly framework.</div><div><br /></div><div>Malware modules</div><div>The malware operates as a monolithic binary executable with pluggable modules, giving it an operational versatility often associated with APT operations.</div><div><br /></div><div>Here's a summary of StripedFly's modules from Kaspersky's report:</div><div><br /></div><div>Configuration storage: Stores encrypted malware configuration.</div><div>Upgrade/Uninstall: Manages updates or removal based on C2 server commands.</div><div>Reverse proxy: Allows remote actions on the victim's network.</div><div>Miscellaneous command handler: Executes varied commands like screenshot capture and shellcode execution.</div><div>Credential harvester: Scans and collects sensitive user data like passwords and usernames.</div><div>Repeatable tasks: Carries out specific tasks under certain conditions, such as microphone recording.</div><div>Recon module: Sends detailed system information to the C2 server.</div><div>SSH infector: Uses harvested SSH credentials to penetrate other systems.</div><div>SMBv1 infector: Worms into other Windows systems using a custom EternalBlue exploit.</div><div>Monero mining module: Mines Monero while camouflaged as a "chrome.exe" process.</div><div>The presence of the Monero crypto miner is considered a diversion attempt, with the primary objectives of the threat actors being data theft and system exploitation facilitated by the other modules.</div><div><br /></div><div>"The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group," reads Kaspersky's report.</div><div><br /></div><div>"Notably, the Monero cryptocurrency mined by this module reached its peak value at $542.33 on January 9, 2018, compared to its 2017 value of around $10. As of 2023, it has maintained a value of approximately $150."</div><div><br /></div><div>"Kaspersky experts emphasize that the mining module is the primary factor enabling the malware to evade detection for an extended period."</div><div><br /></div><div>The researchers also identified links to the ransomware variant ThunderCrypt, which utilizes the same C2 server at "ghtyqipha6mcwxiz[.]onion:1111." </div><div><br /></div><div><br /></div><div>The 'repeatable tasks module' also suggests that the unidentified attackers could be interested in revenue generation for some victims.</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-76264139659203694162023-10-29T07:19:00.000-07:002023-10-29T07:19:00.627-07:00Security Agency Rolls Out Protective DNS for Schools<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiun9hsiNd6dpFLgS8mN8GJw07-wfjEBK1JVr2e9Qs-xIXkOof4rlP6EYSLgURiCJB9xLP0ie0Il6S9s8WvOk_8O1UU1LQlsKyvEfHTgxkjnxz1bdUzvNg5F-Y0Ekw97qnpKZ2oEOYeSB5HyuzBP9D-CRVVw_9zRrbOXJSrim5HmRXgnAahot98yKc8hDrT/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-29T195507.203.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiun9hsiNd6dpFLgS8mN8GJw07-wfjEBK1JVr2e9Qs-xIXkOof4rlP6EYSLgURiCJB9xLP0ie0Il6S9s8WvOk_8O1UU1LQlsKyvEfHTgxkjnxz1bdUzvNg5F-Y0Ekw97qnpKZ2oEOYeSB5HyuzBP9D-CRVVw_9zRrbOXJSrim5HmRXgnAahot98yKc8hDrT/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-29T195507.203.png" width="320" /></a></div><br /><div style="text-align: left;"><br /></div><div style="text-align: left;"> The UK’s National Cyber Security Centre (NCSC) has announced the launch of a new offering designed to prevent school users visiting malicious websites.</div><div><br /></div><div>PDNS for Schools is completely free and will be rolled out from now into the coming year, according to NCSC deputy director for economy and society, Sarah Lyons.</div><div><br /></div><div>“This timeframe will allow us to test capacity in the service and ensure we can deliver a PDNS offer to the different types of schools across the UK,” she explained.</div><div><br /></div><div>PDNS for Schools is based on a long-running and highly successful part of the NCSC’s Active Cyber Defence strategy: the Protective Domain Name Service (PDNS).</div><div><br /></div><div>Implemented by .uk registry Nominet back in 2017, it is a recursive resolver – finding answers to DNS queries and blocking access to risky sites.</div><div><br /></div><div>Read more on education sector threats: UK Schools Hit by Mass Leak of Confidential Data</div><div><br /></div><div>“PDNS prevents access to domains known to be malicious, by simply not resolving them. Preventing access to malware, ransomware, phishing attacks, viruses, malicious sites and spyware at source makes the network more secure,” the NCSC explained.</div><div><br /></div><div>“In addition, PDNS provides organizations that use it with metrics about the health of their networks and gives them access to NCSC outreach support to resolve any issues. The data from PDNS is also used to inform and support UK government cyber-incident response functions in the event of a cyber-attack.”</div><div><br /></div><div>The UK’s education sector certainly needs some help. Recent research from the NCSC published in January found that over three-quarters (78%) of schools had experienced at least one type of cyber-incident. A similar share (73%) said they experienced either phishing emails sent to staff or staff being directed to fraudulent websites, up from 69% in the 2019 report.</div><div><br /></div><div>Ahead of the new school year beginning last month, several schools reported major disruption after suspected ransomware attacks.</div><div><br /></div><div>Those keen to use PDNS for Schools don’t need to do anything until a full rollout is announced in the first part of 2024, the NCSC said.</div><div><br /></div><div>In the meantime, local authorities in England and eligible public sector networks in Scotland, Wales and Northern Ireland that provide DNS to their schools are encouraged to sign up for the service.</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0tag:blogger.com,1999:blog-8087996188166958940.post-88689202405252823202023-10-29T07:07:00.001-07:002023-10-29T07:07:29.633-07:00N. Korean Lazarus Group Targets Software Vendor Using Known Flaws<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVKr85qmyT4Q6c66CcmKtNuvvWu1Wu0zXCdOB7KXl35KJfSAukWVtnNoVBXJPZsqE73Cb1KUOhoHkdkvSR1nVsqmCx9HkcceSpMtoZV_3148pz0OMKBxkpd6DUBf-AmfXTfMHElP_WjxxMeFFX5M9tfZNrwjv7nChvhutrN1kJD4yLR9LEA9O5Jhc0i_CE/s1080/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-29T194310.562.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1080" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVKr85qmyT4Q6c66CcmKtNuvvWu1Wu0zXCdOB7KXl35KJfSAukWVtnNoVBXJPZsqE73Cb1KUOhoHkdkvSR1nVsqmCx9HkcceSpMtoZV_3148pz0OMKBxkpd6DUBf-AmfXTfMHElP_WjxxMeFFX5M9tfZNrwjv7nChvhutrN1kJD4yLR9LEA9O5Jhc0i_CE/s320/Kimsuky's%20Hack%20Targeting%20North%20Korean%20Affairs%20for%20Intel%20-%202023-10-29T194310.562.png" width="320" /></a></div><br /><div style="text-align: left;"><br /></div><div style="text-align: left;"> The North Korea-aligned Lazarus Group has been attributed as behind a new campaign in which an unnamed software vendor was compromised through the exploitation of known security flaws in another high-profile software.</div><div><br /></div><div>The attack sequences, according to Kaspersky, culminated in the deployment of malware families such as SIGNBT and LPEClient, a known hacking tool used by the threat actor for victim profiling and payload delivery.</div><div><br /></div><div>"The adversary demonstrated a high level of sophistication, employing advanced evasion techniques and introducing SIGNBT malware for victim control," security researcher Seongsu Park said. "The SIGNBT malware used in this attack employed a diverse infection chain and sophisticated techniques."</div><div><br /></div><div>The Russian cybersecurity vendor said the company that developed the exploited software had been a victim of a Lazarus attack several times, indicating an attempt to steal source code or poison the software supply chain, as in the case of the 3CX supply chain attack.</div><div><br /></div><div>Cybersecurity</div><div>The Lazarus Group "continued to exploit vulnerabilities in the company's software while targeting other software makers," Park added. As part of the latest activity, a number of victims are said to have been singled out as of mid-July 2023.</div><div><br /></div><div>The victims, per the company, were targeted through a legitimate security software designed to encrypt web communications using digital certificates. The name of the software was not disclosed and the exact mechanism by which the software was weaponized to distribute SIGNBT remains unknown.</div><div><br /></div><div>Besides relying on various tactics to establish and maintain persistence on compromised systems, the attack chains employ an in-memory loader that acts as a conduit to launch the SIGNBT malware.</div><div><br /></div><div>N. Korean Lazarus Group</div><div>The main function of SIGNBT is to establish contact with a remote server and retrieve further commands for execution on the infected host. The malware is so named for its use of distinctive strings that are prefixed with "SIGNBT" in its HTTP-based command-and-control (C2) communications -</div><div><br /></div><div><ul style="text-align: left;"><li>SIGNBTLG, for initial connection</li><li>SIGNBTKE, for gathering system metadata upon receiving a SUCCESS message from the C2 server</li><li>SIGNBTGC, for fetching commands</li><li>SIGNBTFI, for communication failure</li><li>SIGNBTSR, for a successful communication</li></ul></div><div>The Windows backdoor, for its part, is armed with a wide range of capabilities to exert control over the victim's system. This includes process enumeration, file and directory operations, and the deployment of payloads such as LPEClient and other credential-dumping utilities.</div><div><br /></div><div>Kaspersky said it identified at least three disparate Lazarus campaigns in 2023 using varied intrusion vectors and infection procedures, but consistently relied on LPEClient malware to deliver the final-stage malware.</div><div><br /></div><div>Cybersecurity</div><div>One such campaign paved the way for an implant codenamed Gopuram, which was used in cyber assaults targeting cryptocurrency companies by leveraging a trojanized version of the 3CX voice and video conferencing software.</div><div><br /></div><div>The latest findings are just the latest example of North Korean-linked cyber operations, in addition to being a testament to the Lazarus Group's ever-evolving and ever-expanding arsenal of tools, tactics, and techniques.</div><div><br /></div><div>"The Lazarus Group remains a highly active and versatile threat actor in today's cybersecurity landscape," Park said.</div><div><br /></div><div>"The threat actor has demonstrated a profound understanding of IT environments, refining their tactics to include exploiting vulnerabilities in high-profile software. This approach allows them to efficiently spread their malware once initial infections are achieved."</div>Divya Singhhttp://www.blogger.com/profile/17523219030525979218noreply@blogger.com0